To help our customers assess our information security practices with confidence, we’ve completed the Cloud Security Alliance (CSA) CAIQ – Consensus Assessments Initiative Questionnaire.
This standardised questionnaire provides transparent, structured responses about how we implement key security controls across our systems and operations.
The CAIQ is widely recognized as a trusted alternative to sharing full internal policy documents. It allows us to demonstrate compliance with frameworks such as ISO 27001, while protecting sensitive information within our internal documentation. Our completed CAIQ covers essential areas including access control, data protection, encryption, audit and compliance, and more.
We’ve created this document to proactively support your due diligence and vendor risk assessments. You can view the full CAIQ content below or download it here as an Excel file for easier review.
| Question | Response |
| Are audit and assurance policies, procedures, and standards established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained audit and assurance policies, procedures, and standards as part of our ISO 27001 certified Information Security Management System (ISMS). These policies cover various aspects of security, including access control, data protection, incident response, and compliance with legal and regulatory requirements. Regular audits and reviews are conducted to ensure ongoing compliance and continual improvement of our security practices. |
| Are audit and assurance policies, procedures, and standards reviewed and updated at least annually? |
Yes, Built Intelligence reviews and updates its audit and assurance policies, procedures, and standards at least annually in accordance with ISO 27001 requirements. This ensures our practices remain aligned with evolving security threats, technological advancements, and regulatory changes. |
| Are independent audit and assurance assessments conducted according to relevant standards at least annually? |
Yes, Built Intelligence conducts independent audit and assurance assessments annually in accordance with relevant standards, including ISO 27001 and Cyber Essentials Plus. These assessments are performed by certified third-party auditors to ensure compliance and to identify areas for improvement in our security and compliance posture. |
| Are independent audit and assurance assessments performed according to risk-based plans and policies? |
Yes, Built Intelligence performs independent audit and assurance assessments according to risk-based plans and policies. These assessments are aligned with our ISO 27001 certified Information Security Management System (ISMS) and include regular internal and external audits to ensure compliance with established security standards and practices. The frequency and scope of these audits are determined based on a risk assessment, ensuring that critical areas are reviewed more frequently and in greater depth. |
| Is compliance verified regarding all relevant standards, regulations, legal/contractual, and statutory requirements applicable to the audit? |
Yes, FastDraft ensures compliance with all relevant standards, regulations, legal/contractual, and statutory requirements applicable to the audit. Our platform adheres to ISO 27001 standards, and we maintain rigorous alignment with GDPR, Cyber Essentials Plus, and other relevant frameworks. We conduct regular internal and external audits to verify compliance and continuously improve our security and data protection practices. |
| Is an audit management process defined and implemented to support audit planning, risk analysis, security control assessments, conclusions, remediation schedules, report generation, and reviews of past reports and supporting evidence? |
Yes, Built Intelligence has implemented a comprehensive audit management process as part of our ISO 27001 certified Information Security Management System (ISMS). This process supports audit planning, risk analysis, security control assessments, conclusions, remediation schedules, report generation, and reviews of past reports and supporting evidence. Our process ensures continuous improvement and compliance with industry standards and regulatory requirements. |
| Is a risk-based corrective action plan to remediate audit findings established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained a risk-based corrective action plan to remediate audit findings. This plan is part of our ISO 27001 certified Information Security Management System (ISMS), ensuring systematic review and management of audit findings. The process includes identifying risks, implementing corrective actions, monitoring effectiveness, and making necessary adjustments to enhance our security posture continuously. |
| Is the remediation status of audit findings reviewed and reported to relevant stakeholders? |
Yes, the remediation status of audit findings is reviewed and reported to relevant stakeholders. FastDraft, hosted on Microsoft Azure, adheres to strict compliance and audit processes. We conduct regular internal and external audits, and findings are documented and tracked through our compliance management system. Remediation actions are assigned and monitored for completion. Status updates and final reports are communicated to relevant stakeholders, including management and, if applicable, external clients, ensuring transparency and accountability in our compliance and security posture. |
| Are application security policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained to guide appropriate planning, delivery, and support of the organization's application security capabilities? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained application security policies and procedures. These guide the appropriate planning, delivery, and support of our organization's application security capabilities. Our policies align with ISO 27001 standards and are integrated into our Information Security Management System (ISMS), ensuring continuous improvement and compliance with relevant security requirements. These policies are regularly reviewed and updated to adapt to new security threats and technological changes, ensuring robust application security across our FastDraft platform hosted on Microsoft Azure. |
| Are application security policies and procedures reviewed and updated at least annually? |
Yes, Built Intelligence reviews and updates application security policies and procedures at least annually as part of our ISO 27001 certified Information Security Management System (ISMS). This ensures our practices remain aligned with current security standards and regulatory requirements. |
| Are baseline requirements to secure different applications established, documented, and maintained? |
Yes, baseline security requirements for different applications within FastDraft are established, documented, and maintained in accordance with our Information Security Management System (ISMS), which aligns with ISO 27001 standards. These requirements are regularly reviewed and updated to ensure they meet current security standards and compliance obligations. Additionally, our platform leverages Microsoft Azure's infrastructure, which provides built-in security controls and compliance certifications, further supporting our security posture. |
| Are technical and operational metrics defined and implemented according to business objectives, security requirements, and compliance obligations? |
Yes, Built Intelligence defines and implements technical and operational metrics according to business objectives, security requirements, and compliance obligations. These metrics are aligned with our ISO 27001 certified Information Security Management System (ISMS) and are designed to ensure continuous monitoring and improvement of our security posture. Metrics include system performance, incident response times, compliance audit results, and user activity logs, all of which are regularly reviewed and reported to ensure alignment with our business objectives and compliance with GDPR and other regulatory requirements. |
| Is an SDLC process defined and implemented for application design, development, deployment, and operation per organizationally designed security requirements? |
Yes, Built Intelligence has a defined and implemented Software Development Life Cycle (SDLC) process for application design, development, deployment, and operation that adheres to organizationally designed security requirements. This process is detailed in our SDLC documentation and is aligned with ISO 27001 controls, ensuring continuous improvement and compliance with our security and quality management standards. |
| Does the testing strategy outline criteria to accept new information systems, upgrades, and new versions while ensuring application security, compliance adherence, and organizational speed of delivery goals? |
Yes, FastDraft employs a comprehensive testing strategy that outlines criteria for accepting new information systems, upgrades, and new versions. This strategy ensures application security and compliance adherence while meeting organizational speed of delivery goals. Our approach includes automated and manual testing phases, security scans, compliance checks, and performance benchmarks, all integrated into our CI/CD pipeline managed on Microsoft Azure DevOps. This process aligns with our ISO 27001 and Cyber Essentials Plus certifications, ensuring that each release is secure, compliant, and delivered efficiently. |
| Is testing automated when applicable and possible? | Yes, FastDraft employs automated testing where applicable and possible, utilizing Microsoft Azure DevOps for continuous integration and deployment. Automated tests include unit tests, integration tests, and UI tests to ensure code quality and functionality before deployment. This approach aligns with industry best practices to maintain high standards of software reliability and performance. |
| Are strategies and capabilities established and implemented to deploy application code in a secure, standardized, and compliant manner? |
Yes, FastDraft employs secure, standardized, and compliant strategies for deploying application code. We utilize Microsoft Azure DevOps for continuous integration and continuous deployment (CI/CD), ensuring that code is tested and deployed in a controlled and repeatable manner. Our deployment processes are aligned with ISO 27001 standards, incorporating automated security scans and code reviews to maintain code integrity and security. Additionally, we adhere to Microsoft's best practices for Azure, further enhancing our deployment security and compliance. |
| Is the deployment and integration of application code automated where possible? | Yes, the deployment and integration of application code in FastDraft are automated where possible. We utilize Microsoft Azure DevOps for continuous integration and continuous deployment (CI/CD) pipelines, ensuring that code changes are automatically built, tested, and deployed to production environments efficiently and reliably. This automation helps in maintaining high standards of code quality and security compliance. |
| Are application security vulnerabilities remediated following defined processes? | Yes, Built Intelligence follows defined processes for remediating application security vulnerabilities, aligned with our ISO 27001 certified Information Security Management System (ISMS). Our process includes identification through regular security scans and penetration testing, risk assessment, prioritization based on severity, and remediation through secure coding updates or configuration changes. All changes are tested in a staging environment before deployment to production. This systematic approach ensures vulnerabilities are addressed promptly and effectively, minimizing potential risks to our platform and customer data. |
| Is the remediation of application security vulnerabilities automated when possible? |
Yes, the remediation of application security vulnerabilities in FastDraft is automated when possible. We leverage Microsoft Azure's integrated security tools, such as Azure Security Center and Azure Defender, to automatically apply security patches and updates to the underlying PaaS services. Additionally, our development processes include automated dependency checks and security scanning within our CI/CD pipelines to identify and address vulnerabilities before deployment. For high-severity issues, automated alerts are configured to notify our security team for immediate action. This approach aligns with our ISO 27001 and Cyber Essentials Plus standards, ensuring a proactive stance on vulnerability management. |
| Are business continuity management and operational resilience policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained business continuity management and operational resilience policies and procedures. These are aligned with ISO 27001 standards and are regularly reviewed and tested to ensure they remain effective and appropriate to the organizational needs and compliance requirements. |
| Are the policies and procedures reviewed and updated at least annually? | Yes, the policies and procedures are reviewed and updated at least annually to ensure they remain effective and compliant with current regulations and standards. This is in line with our commitment to maintaining high standards of security and compliance, as outlined in our internal documentation and governance frameworks. |
| Are criteria for developing business continuity and operational resiliency strategies and capabilities established based on business disruption and risk impacts? |
Yes, the criteria for developing business continuity and operational resiliency strategies and capabilities at Built Intelligence are established based on business disruption and risk impacts. Our Business Continuity Plan (BCP) and operational resiliency strategies are informed by thorough risk assessments and business impact analyses, as outlined in our ISMS documentation. These assessments consider various disruption scenarios and their potential impacts on our operations, ensuring that our strategies are robust and effective in maintaining critical functions and protecting information assets during adverse situations. |
| Are strategies developed to reduce the impact of, withstand, and recover from business disruptions in accordance with risk appetite? |
Yes, FastDraft has developed strategies to reduce the impact of, withstand, and recover from business disruptions in accordance with our risk appetite. These strategies are aligned with our Business Continuity Plan (BCP) and Disaster Recovery (DR) protocols, which are part of our ISO 27001 certified Information Security Management System (ISMS). We conduct regular risk assessments and business impact analyses to ensure that our strategies are effective and compliant with industry standards. Additionally, our hosting on Microsoft Azure provides robust infrastructure resilience, including geo-redundant storage and backup solutions, to support our continuity strategies. |
| Are operational resilience strategies and capability results incorporated to establish, document, approve, communicate, apply, evaluate, and maintain a business continuity plan? |
Yes, Built Intelligence incorporates operational resilience strategies and capability results to establish, document, approve, communicate, apply, evaluate, and maintain a business continuity plan as outlined in our ISMS DOC ORG09. This plan is regularly updated and tested to ensure it remains effective and compliant with ISO 27001 standards. The plan includes detailed procedures for responding to incidents, ensuring information security continuity, and recovering IT systems at an alternative location within a specified timeframe. |
| Is relevant documentation developed, identified, and acquired to support business continuity and operational resilience plans? |
Yes, FastDraft has developed, identified, and acquired relevant documentation to support business continuity and operational resilience plans. This includes our Business Continuity Plan (ISMS DOC ORG09), which outlines procedures for IT system recovery at alternative locations, maintaining operations during disruptions, and ensuring information security continuity. Additionally, we utilize Microsoft Azure's robust infrastructure, which includes built-in disaster recovery and high availability features, further supporting our operational resilience. |
| Is business continuity and operational resilience documentation available to authorized stakeholders? |
Yes, business continuity and operational resilience documentation is available to authorized stakeholders. Access to such documentation is controlled through role-based access permissions to ensure that only authorized personnel have access to sensitive information. This documentation is classified as restricted and is subject to data protection legislation to ensure confidentiality and integrity. |
| Is business continuity and operational resilience documentation reviewed periodically? | Yes, the business continuity and operational resilience documentation is reviewed periodically in alignment with our ISO 27001 certification requirements and internal policies. These documents are updated as necessary to reflect changes in business processes, technology, and compliance obligations, ensuring that our response strategies remain effective and relevant. |
| Are the business continuity and operational resilience plans exercised and tested at least annually and when significant changes occur? |
Yes, Built Intelligence exercises and tests its business continuity and operational resilience plans annually and when significant changes occur, in alignment with ISO 27001 and our internal ISMS policies. These tests include tabletop exercises, scenario testing, and full recovery simulations to ensure that our response procedures are effective and that staff are familiar with their roles in such events. The results are reviewed to identify any necessary improvements to our plans. |
| Do business continuity and resilience procedures establish communication with stakeholders and participants? |
Yes, the business continuity and resilience procedures established by Built Intelligence include comprehensive communication strategies with stakeholders and participants. These procedures are detailed in our Business Continuity Plan (ISMS DOC ORG09), which outlines how communication within the organization and with external parties will be handled during a disruptive incident. This includes maintaining effective communication with all relevant stakeholders and ensuring that information released to third parties is managed to be timely and accurate. The plan specifies the use of telephone and email as primary communication methods, with detailed guidelines to ensure clarity and accuracy in all communications. |
| Is cloud data periodically backed up? | Yes, cloud data on FastDraft is periodically backed up. We utilize Microsoft Azure's robust backup services, ensuring data is backed up with a default frequency and retention policy that aligns with our RPO (Recovery Point Objective) commitments. Custom backup frequencies and retention periods can be configured based on specific client requirements during the implementation phase. |
| Is the confidentiality, integrity, and availability of backup data ensured? | Yes, the confidentiality, integrity, and availability of backup data are ensured through a combination of Microsoft Azure’s built-in security features and our own stringent data management policies, aligned with ISO 27001 and Cyber Essentials Plus standards. Backup data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. We utilize Azure’s geo-redundant storage (GRS) to ensure high availability and resilience against data loss. Access to backup data is strictly controlled through role-based access controls (RBAC) and multi-factor authentication (MFA), ensuring that only authorized personnel can access sensitive backup information. Regular audits and compliance checks further reinforce the security and integrity of our backup processes. |
| Can backups be restored appropriately for resiliency? | Yes, FastDraft ensures appropriate backup restoration for resiliency. We utilize Azure's robust backup and disaster recovery capabilities, which include geo-redundant storage to ensure data is replicated in multiple locations. Our backup procedures are tested regularly to confirm that data can be restored accurately and promptly in the event of an incident. This aligns with our ISO 27001 certified processes, ensuring data integrity and availability. |
| Is a disaster response plan established, documented, approved, applied, evaluated, and maintained to ensure recovery from natural and man-made disasters? |
Yes, Built Intelligence has established, documented, approved, applied, evaluated, and maintained a disaster response plan to ensure recovery from natural and man-made disasters. This plan is part of our Business Continuity Plan (BCP) and Disaster Recovery (DR) strategies, which are aligned with ISO 27001 standards and tested annually to ensure effectiveness. The plan includes detailed recovery procedures for IT systems at alternative locations, maintains information security controls during adverse situations, and is continually updated based on risk assessments and test results. |
| Is the disaster response plan updated at least annually, and when significant changes occur? |
Yes, Built Intelligence Ltd’s business continuity plans, including the disaster response plan, are tested and updated on an annual basis. Additionally, the plans are revised when significant changes occur in the business or infrastructure, ensuring they remain current and effective. This process is part of our commitment to maintaining robust business continuity and disaster recovery strategies. |
| Is the disaster response plan exercised annually or when significant changes occur? |
Yes, Built Intelligence's disaster response plan is exercised annually and when significant changes occur, ensuring continuous improvement and readiness in alignment with ISO 27001 and our internal business continuity policies. This regular testing helps us to identify and address potential gaps in our response strategies and maintain a high level of resilience. |
| Are local emergency authorities included, if possible, in the exercise? | Built Intelligence includes business continuity and disaster recovery (BC/DR) testing as part of its annual operational risk assessment for the FastDraft platform, which is hosted in Microsoft Azure. While direct inclusion of local emergency authorities is not typically required due to the nature of our cloud-based SaaS delivery, our incident response and escalation procedures align with regional Azure data center protocols, which do involve local authorities when necessary. In regions where FastDraft is deployed, we ensure that our response plans align with Azure’s local compliance and continuity frameworks, which include cooperation with emergency services during major regional disruptions. |
| Is business-critical equipment supplemented with redundant equipment independently located at a reasonable minimum distance in accordance with applicable industry standards? |
Yes, FastDraft is hosted on Microsoft Azure, which employs redundancy and failover mechanisms across geographically distributed data centers to ensure business-critical equipment is supplemented as per industry standards. Azure's architecture supports high availability and disaster recovery, aligning with industry best practices and compliance requirements. |
| Are risk management policies and procedures associated with changing organizational assets including applications, systems, infrastructure, configuration, etc., established, documented, approved, communicated, applied, evaluated and maintained (regardless of whether asset management is internal or external)? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained risk management policies and procedures associated with changing organizational assets including applications, systems, infrastructure, and configurations. These procedures are part of our ISO 27001 compliant Information Security Management System (ISMS) and are integrated into our change management processes as outlined in the Operations (ISMS DOC TEC01). This includes handling changes due to incidents, new installations, upgrades, and compliance with new legislation or business requirements. All changes undergo risk assessments and are subject to approval and review processes to ensure security and compliance, whether managed internally or by external providers. |
| Are the policies and procedures reviewed and updated at least annually? | Yes, FastDraft's policies and procedures are reviewed and updated at least annually to ensure compliance with industry standards and regulatory requirements. This regular review process is part of our commitment to maintaining robust security and compliance standards, as outlined in our internal documentation and supported by our ISO 27001 certification. |
| Is a defined quality change control, approval and testing process (with established baselines, testing, and release standards) followed? |
Yes, FastDraft follows a defined quality change control, approval, and testing process with established baselines, testing, and release standards. Our development and release processes are managed through Microsoft Azure DevOps, which supports continuous integration and delivery pipelines, ensuring that all changes are tested and approved before deployment. We adhere to strict testing protocols including unit testing, integration testing, and user acceptance testing to maintain high-quality standards. Additionally, our processes are aligned with ISO 27001 standards to ensure compliance and security in all changes and releases. |
| Are risks associated with changing organizational assets (including applications, systems, infrastructure, configuration, etc.) managed, regardless of whether asset management occurs internally or externally (i.e., outsourced)? |
Yes, Built Intelligence manages risks associated with changing organizational assets, including applications, systems, infrastructure, and configurations, whether managed internally or outsourced. Our ISO 27001 certified Information Security Management System (ISMS) includes a structured change management process that encompasses risk assessment, impact analysis, and approval procedures for all changes to our assets. This process ensures that all changes are reviewed for security implications and that appropriate controls are implemented to mitigate risks. Additionally, our subcontractors and supply chain partners are required to adhere to the same stringent security controls and processes, ensuring consistency and security across all managed assets. |
| Is the unauthorized addition, removal, update, and management of organization assets restricted? |
Yes, the unauthorized addition, removal, update, and management of organization assets are restricted on the FastDraft platform. We enforce strict role-based access controls (RBAC) that ensure only authorized personnel have the necessary permissions to manage assets. These controls are implemented both at the application level within FastDraft and at the infrastructure level through Microsoft Azure's security management features. Additionally, all actions taken on assets are logged and monitored to ensure compliance and to facilitate audits. |
| Are provisions to limit changes that directly impact CSC-owned environments and require tenants to authorize requests explicitly included within the service level agreements (SLAs) between CSPs and CSCs? |
Yes, provisions to limit changes that directly impact CSC-owned environments and require tenants to authorize requests are explicitly included within the service level agreements (SLAs) between cloud service providers (CSPs) and cloud service customers (CSCs). These provisions ensure that any significant changes to the hosted environment, including updates or modifications that could affect the CSC-owned environments, are only conducted with prior approval from the tenant. This is part of our commitment to maintaining the integrity and security of tenant environments and aligns with our ISO 27001 and SOC 2 Type 2 compliance frameworks. |
| Are change management baselines established for all relevant authorized changes on organizational assets? |
Yes, change management baselines are established for all relevant authorized changes on organizational assets within the FastDraft platform, hosted on Microsoft Azure. Our change management process is aligned with industry best practices and is documented in our internal ISMS policies. This process ensures that all changes are reviewed, tested, approved, and documented before implementation to maintain the integrity and security of the platform. Azure's infrastructure also supports robust change management capabilities, further ensuring the stability and security of our services. |
| Are detection measures implemented with proactive notification if changes deviate from established baselines? |
Yes, FastDraft employs proactive notification measures for detecting deviations from established baselines. This is facilitated through Azure Monitor and Azure Security Center, which continuously evaluate system performance and security configurations against predefined baselines. Alerts are generated and sent to the system administrators if any deviations are detected, ensuring immediate attention and remediation. This capability is part of our commitment to maintaining a secure and reliable platform, in line with ISO 27001 and Cyber Essentials Plus standards. |
| Is a procedure implemented to manage exceptions, including emergencies, in the change and configuration process? |
Yes, FastDraft has implemented a procedure to manage exceptions, including emergencies, in the change and configuration process. This procedure is part of our broader IT Service Management framework, which aligns with ISO 27001 standards. The process includes steps for identifying, assessing, and approving exceptions, with specific criteria and controls for emergency changes to ensure they are handled efficiently without compromising security. The procedure is documented and reviewed regularly to ensure its effectiveness and compliance with our security policies. |
| Is the procedure aligned with the requirements of the GRC-04: Policy Exception Process?' |
Yes, the procedure outlined in the Leadership (ISMS DOC C5) - Restricted document is aligned with the requirements of the GRC-04: Policy Exception Process. The document clearly defines roles, responsibilities, and authorities, ensuring that exceptions to policies are managed appropriately and in accordance with the strategic direction of the organization. This includes the assignment of specific roles such as the Information Security Manager and the Information Security Team, who have the authority to approve significant expenditures and high-level policies related to information security, which are essential components of managing policy exceptions effectively. |
| Is a process to proactively roll back changes to a previously known "good state" defined and implemented in case of errors or security concerns? |
Yes, FastDraft has a defined and implemented process to proactively roll back changes to a previously known "good state" in case of errors or security concerns. This process is part of our robust change management and incident response protocols, which are aligned with ISO 27001 standards. We utilize Azure's deployment slots for staging and production environments, allowing us to test changes in a controlled manner before they go live. In the event of an error or security concern, we can quickly revert to the last known good configuration using Azure's point-in-time restore capabilities for databases and rollback features for application deployments. This ensures minimal disruption and maintains the integrity and security of our platform. |
| Are cryptography, encryption, and key management policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained cryptography, encryption, and key management policies and procedures. These are aligned with industry best practices and standards, including ISO 27001 and Cyber Essentials Plus. Our cryptographic controls are managed through Microsoft Azure services, ensuring robust encryption of data at rest using AES-256 and secure management of cryptographic keys via Azure Key Vault. All policies and procedures are regularly reviewed and updated to address emerging risks and technological changes. |
| Are cryptography, encryption, and key management policies and procedures reviewed and updated at least annually? |
Yes, the cryptography, encryption, and key management policies and procedures are reviewed and updated at least annually. This is ensured by the Information Security Team in accordance with our ISMS policies, which mandate regular reviews in line with emerging risks and changes to the business environment. |
| Are cryptography, encryption, and key management roles and responsibilities defined and implemented? |
Yes, cryptography, encryption, and key management roles and responsibilities are clearly defined and implemented within our organization. The Information Security Manager oversees compliance with our cryptographic policies, which are in line with ISO 27001 standards. Individual asset owners are responsible for applying cryptographic controls and securing cryptographic keys. Our use of Microsoft Azure also ensures that encryption and key management are handled according to industry best practices, utilizing Azure Key Vault for key management and encryption protocols like AES-256 for data at rest. |
| Are data at-rest and in-transit cryptographically protected using cryptographic libraries certified to approved standards? |
Yes, data at-rest and in-transit are cryptographically protected using cryptographic libraries certified to approved standards. FastDraft utilizes Microsoft Azure's built-in encryption mechanisms, which include AES-256 encryption for data at-rest and TLS 1.2 or higher for data in-transit. These cryptographic libraries and protocols are compliant with industry standards and certifications such as ISO 27001 and SOC 2 Type 2, ensuring robust data protection and security compliance. |
| Are appropriate data protection encryption algorithms used that consider data classification, associated risks, and encryption technology usability? |
Yes, Built Intelligence uses appropriate data protection encryption algorithms that consider data classification, associated risks, and encryption technology usability. All data within our Azure environments is encrypted using AES-256 for data at rest, and HTTPS/TLS v1.2 for data in transit, aligning with industry standards and best practices. Our cryptographic practices are managed according to our ISO 27001 certified Information Security Management System, ensuring the confidentiality, integrity, and availability of sensitive and critical information. |
| Are standard change management procedures established to review, approve, implement and communicate cryptography, encryption, and key management technology changes that accommodate internal and external sources? |
Yes, FastDraft has established standard change management procedures to review, approve, implement, and communicate changes related to cryptography, encryption, and key management technologies. These procedures accommodate both internal and external sources, ensuring that all changes are aligned with our security policies and compliance requirements. The process involves multiple stages including proposal, impact assessment, approval by the Information Security Manager, and communication to relevant stakeholders. This structured approach ensures that all cryptographic changes are managed securely and effectively within our Microsoft Azure-hosted environment. |
| Are changes to cryptography-, encryption- and key management-related systems, policies, and procedures, managed and adopted in a manner that fully accounts for downstream effects of proposed changes, including residual risk, cost, and benefits analysis? |
Yes, changes to cryptography, encryption, and key management-related systems, policies, and procedures are managed and adopted in a manner that fully accounts for downstream effects, including residual risk, cost, and benefits analysis. This is ensured through our structured Change Control Procedure, which requires that all changes affecting information security, including those related to cryptography and key management, be reflected in our business continuity plans. The procedure involves risk assessment and business impact analysis to determine the information security requirements applicable to adverse situations, ensuring that all changes are comprehensively evaluated before implementation. |
| Is a cryptography, encryption, and key management risk program established and maintained that includes risk assessment, risk treatment, risk context, monitoring, and feedback provisions? |
Yes, Built Intelligence has established and maintains a comprehensive cryptography, encryption, and key management risk program as outlined in our ISMS documentation. This program includes risk assessment, risk treatment, understanding the risk context, and provisions for monitoring and feedback. This is managed according to the guidelines set forth in our Cryptography (ISMS DOC TEC04) and is supported by our use of Microsoft Azure's infrastructure, which includes built-in encryption capabilities for data at rest and in transit, and Azure Key Vault for key management. This ensures that cryptographic practices are aligned with industry standards and compliance requirements. |
| Are CSPs providing CSCs with the capacity to manage their own data encryption keys? |
Yes, Microsoft Azure, the cloud service provider (CSP) for FastDraft, offers customers the capability to manage their own data encryption keys through Azure Key Vault. This service allows customers to control and manage the lifecycle of their encryption keys independently, ensuring enhanced security and compliance with their specific requirements. |
| Are encryption and key management systems, policies, and processes audited with a frequency proportional to the system's risk exposure, and after any security event? |
Yes, Built Intelligence's encryption and key management systems, policies, and processes are audited with a frequency proportional to the system's risk exposure and after any security event. These audits are part of our ISO 27001 certified Information Security Management System (ISMS), ensuring that all encryption keys and sensitive data handling practices are regularly reviewed and compliant with industry standards. Additionally, any significant changes in our encryption and key management infrastructure or any security events trigger an immediate review and re-assessment of relevant controls. This approach aligns with our commitment to maintaining robust security and data protection standards across all operations. |
| Are encryption and key management systems, policies, and processes audited (preferably continuously but at least annually)? |
Yes, encryption and key management systems, policies, and processes are audited annually as part of our ISO 27001 certification requirements. We use Microsoft Azure Key Vault for managing encryption keys, which is also audited and compliant with multiple standards including ISO 27001. These audits ensure that our encryption practices and key management procedures remain secure and effective. |
| Are cryptographic keys generated using industry-accepted and approved cryptographic libraries that specify algorithm strength and random number generator specifications? |
Yes, Built Intelligence uses industry-accepted and approved cryptographic libraries that specify algorithm strength and random number generator specifications. Our cryptographic practices are aligned with Microsoft Azure's platform standards, which include the use of SHA-256 for hashing and AES-256 for encryption at rest. Azure ensures that all cryptographic keys are managed securely through Azure Key Vault, supporting robust key management and compliance with industry standards. |
| Are private keys provisioned for a unique purpose managed, and is cryptography secret? |
Yes, private keys provisioned for unique purposes are managed securely, and cryptography is kept confidential. In our Azure-hosted FastDraft platform, cryptographic keys are managed using Azure Key Vault, which ensures that keys are protected and access is strictly controlled through role-based access controls. Azure Key Vault provides secure key management and ensures that private keys are not exposed to unauthorized users. Additionally, all cryptographic operations are logged to ensure traceability and accountability. |
| Are cryptographic keys rotated based on a cryptoperiod calculated while considering information disclosure risks and legal and regulatory requirements? |
Yes, Built Intelligence manages cryptographic keys based on a defined cryptoperiod that considers information disclosure risks and legal and regulatory requirements. We use Azure Key Vault for key management, which supports automated key rotation and compliance with industry standards and regulations. This ensures that cryptographic keys are rotated in alignment with security best practices and legal obligations. |
| Are cryptographic keys revoked and removed before the end of the established cryptoperiod (when a key is compromised, or an entity is no longer part of the organization) per defined, implemented, and evaluated processes, procedures, and technical measures to include legal and regulatory requirement provisions? |
Yes, Built Intelligence ensures that cryptographic keys are revoked and removed before the end of the established cryptoperiod, in cases where a key is compromised or an entity is no longer part of the organization. This is managed through defined, implemented, and evaluated processes and procedures that comply with legal and regulatory requirements. Our key management practices are aligned with ISO 27001 standards and utilize Azure Key Vault for secure key management, ensuring that keys are handled according to strict security protocols and lifecycle management guidelines. |
| Are processes, procedures and technical measures to destroy unneeded keys defined, implemented and evaluated to address key destruction outside secure environments, revocation of keys stored in hardware security modules (HSMs), and include applicable legal and regulatory requirement provisions? |
Yes, Built Intelligence has defined, implemented, and evaluated processes, procedures, and technical measures for the destruction of unneeded cryptographic keys. These measures address key destruction outside secure environments and revocation of keys stored in hardware security modules (HSMs). Our key management practices are aligned with legal and regulatory requirements, ensuring compliance and secure cryptographic operations. These practices are documented in our ISMS and are reviewed regularly to maintain their effectiveness and compliance. |
| Are processes, procedures, and technical measures to create keys in a pre-activated state (i.e., when they have been generated but not authorized for use) being defined, implemented, and evaluated to include legal and regulatory requirement provisions? |
Yes, FastDraft implements processes, procedures, and technical measures to manage the creation of keys in a pre-activated state, ensuring compliance with legal and regulatory requirements. Our key management practices are aligned with ISO 27001 standards, which include the generation, storage, and handling of cryptographic keys. Keys are generated and managed using Microsoft Azure Key Vault, which provides secure key management while adhering to compliance frameworks. These keys are not activated until they pass our stringent internal authorization processes, which include compliance checks and security validations to meet both legal and regulatory standards. |
| Are processes, procedures, and technical measures to monitor, review and approve key transitions (e.g., from any state to/from suspension) being defined, implemented, and evaluated to include legal and regulatory requirement provisions? |
Yes, FastDraft has defined, implemented, and continuously evaluates processes, procedures, and technical measures to monitor, review, and approve key transitions, including state changes such as suspension. These measures are designed to comply with legal and regulatory requirements. Our platform, hosted on Microsoft Azure, leverages Azure's compliance and security frameworks, which are aligned with global standards including ISO 27001 and Cyber Essentials Plus. Additionally, role-based access controls and logging mechanisms are in place to ensure that transitions are authorized and recorded in compliance with legal provisions. |
| Are processes, procedures, and technical measures to deactivate keys (at the time of their expiration date) being defined, implemented, and evaluated to include legal and regulatory requirement provisions? |
Yes, FastDraft has defined, implemented, and regularly evaluates processes, procedures, and technical measures to deactivate keys upon their expiration date. These measures are designed to comply with legal and regulatory requirements. We utilize Microsoft Azure Key Vault for key management, which automates key rotation and expiration based on policies we set. This ensures that expired keys are deactivated and new keys are issued in compliance with our security policies and relevant legal standards. Additionally, our ISO 27001 certification and adherence to Cyber Essentials Plus guidelines reinforce our commitment to robust key management practices. |
| Are processes, procedures, and technical measures to manage archived keys in a secure repository (requiring least privilege access) being defined, implemented, and evaluated to include legal and regulatory requirement provisions? |
Yes, Built Intelligence has defined, implemented, and continuously evaluates processes, procedures, and technical measures to manage archived cryptographic keys in a secure repository. This management aligns with legal and regulatory requirements, ensuring least privilege access. Our cryptographic key management practices are part of our ISO 27001 certified Information Security Management System (ISMS), which includes strict access controls, regular audits, and compliance checks to maintain the confidentiality, integrity, and availability of cryptographic keys. |
| Are processes, procedures, and technical measures to use compromised keys to encrypt information in specific scenarios (e.g., only in controlled circumstances and thereafter only for data decryption and never for encryption) defined, implemented, and evaluated to include legal and regulatory requirement provisions? |
Yes, Built Intelligence has defined, implemented, and evaluated processes, procedures, and technical measures for the use of compromised keys, specifically in scenarios where they are used only in controlled circumstances for data decryption and never for encryption. This approach aligns with legal and regulatory requirements, ensuring compliance while maintaining the security and integrity of data. |
| Are processes, procedures, and technical measures to assess operational continuity risks (versus the risk of losing control of keying material and exposing protected data) being defined, implemented, and evaluated to include legal and regulatory requirement provisions? |
Yes, FastDraft has defined, implemented, and continuously evaluates processes, procedures, and technical measures to assess operational continuity risks, including the risk of losing control of keying material and exposing protected data. These measures are aligned with legal and regulatory requirements, and are part of our ISO 27001 certified Information Security Management System (ISMS). This includes regular risk assessments, business impact analyses, and compliance checks to ensure that all aspects of operational continuity are addressed and meet the necessary legal and regulatory standards. |
| Are key management system processes, procedures, and technical measures being defined, implemented, and evaluated to track and report all cryptographic materials and status changes that include legal and regulatory requirements provisions? |
Yes, FastDraft's key management system processes, procedures, and technical measures are defined, implemented, and evaluated to track and report all cryptographic materials and status changes, including provisions for legal and regulatory requirements. We utilize Azure Key Vault for managing cryptographic keys and secrets, ensuring compliance with industry standards and legal regulations. Our system is aligned with ISO 27001 standards, which include regular audits and reviews to ensure ongoing compliance and effectiveness of the cryptographic controls. |
| Are policies and procedures for the secure disposal of equipment used outside the organization's premises established, documented, approved, communicated, enforced, and maintained? |
Yes, policies and procedures for the secure disposal of equipment used outside the organization's premises are established, documented, approved, communicated, enforced, and maintained. These include ensuring that any sensitive data and licensed software have been removed or securely wiped prior to disposal or reuse. The Information Security Manager is responsible for overseeing these processes, and all actions are in compliance with our ISMS policies and relevant legal and regulatory requirements. |
| Is a data destruction procedure applied that renders information recovery information impossible if equipment is not physically destroyed? |
Yes, Built Intelligence applies a data destruction procedure that renders information recovery impossible, even if the equipment is not physically destroyed. This procedure is in accordance with our ISO 27001 certified Information Security Management System (ISMS). We use certified data wiping software that adheres to international standards such as NIST 800-88 to ensure all data is irreversibly destroyed. Additionally, all storage media are encrypted, further securing data against unauthorized recovery attempts. This process is documented and auditable as part of our compliance with ISO 27001 standards. |
| Are policies and procedures for the secure disposal of equipment used outside the organization's premises reviewed and updated at least annually? |
Yes, Built Intelligence reviews and updates policies and procedures for the secure disposal of equipment used outside the organization's premises annually. This is in accordance with our ISO 27001 certified Information Security Management System (ISMS), which includes controls for asset management and disposal. These policies ensure that all data is securely erased and equipment is disposed of in an environmentally responsible manner. |
| Are policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location established, documented, approved, communicated, implemented, enforced, maintained? |
Yes, policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location are established, documented, approved, communicated, implemented, enforced, and maintained as part of our ISO 27001 certified Information Security Management System (ISMS). These procedures ensure the security and integrity of assets during transfer or relocation, aligning with our commitment to protect information under all circumstances. |
| Does a relocation or transfer request require written or cryptographically verifiable authorization? |
Yes, a relocation or transfer request within our FastDraft platform requires written or cryptographically verifiable authorization. This is to ensure the security and integrity of user data and compliance with our operational controls and procedures. |
| Are policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location reviewed and updated at least annually? |
Yes, policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location are reviewed and updated at least annually, in compliance with our ISO 27001 certified Information Security Management System (ISMS). This ensures that all changes in operations, threats, or technologies are reflected in our practices to maintain security and compliance. |
| Are policies and procedures for maintaining a safe and secure working environment (in offices, rooms, and facilities) established, documented, approved, communicated, enforced, and maintained? |
Yes, policies and procedures for maintaining a safe and secure working environment in offices, rooms, and facilities are established, documented, approved, communicated, enforced, and maintained as outlined in the Physical Security (ISMS DOC PH01) document. This includes controlled access to physical locations, securing offices, rooms, and facilities, and protecting against external and environmental threats. These measures are regularly reviewed and updated to ensure compliance and effectiveness. |
| Are policies and procedures for maintaining safe, secure working environments (e.g., offices, rooms) reviewed and updated at least annually? |
Yes, Built Intelligence reviews and updates policies and procedures for maintaining safe, secure working environments, including offices and rooms, at least annually. This is in alignment with our health and safety policy and ISO 27001 requirements, ensuring continual improvement and compliance with applicable legal and regulatory standards. |
| Are policies and procedures for the secure transportation of physical media established, documented, approved, communicated, enforced, evaluated, and maintained? |
Yes, Built Intelligence has established, documented, approved, communicated, enforced, evaluated, and maintained policies and procedures for the secure transportation of physical media. These procedures are part of our ISO 27001 certified Information Security Management System (ISMS) and align with our physical security and asset management controls. The policies ensure that all physical media containing sensitive information are handled and transported securely to mitigate risks of unauthorized access, loss, or damage. |
| Are policies and procedures for the secure transportation of physical media reviewed and updated at least annually? |
Yes, Built Intelligence reviews and updates policies and procedures for the secure transportation of physical media annually as part of our ISO 27001 compliance. This ensures that all practices remain effective and aligned with current security standards and business requirements. |
| Is the classification and documentation of physical and logical assets based on the organizational business risk? |
Yes, Built Intelligence classifies and documents physical and logical assets based on organizational business risk. This process is integral to our ISMS and aligns with ISO 27001 standards, ensuring that all assets are evaluated for their confidentiality, integrity, and availability requirements. Asset classification and documentation are regularly reviewed and updated to reflect any changes in business risk or operational requirements. |
| Are all relevant physical and logical assets at all CSP sites cataloged and tracked within a secured system? |
Yes, all relevant physical and logical assets at all CSP sites are cataloged and tracked within a secured system. FastDraft utilizes Microsoft Azure's infrastructure, which includes comprehensive asset management practices that are compliant with ISO 27001 standards. Azure ensures that all assets are inventoried and managed with strict access controls and monitoring to safeguard against unauthorized access and ensure the integrity of our services. |
| Are physical security perimeters implemented to safeguard personnel, data, and information systems? |
Yes, Built Intelligence implements physical security perimeters to safeguard personnel, data, and information systems. Our office locations feature controlled access, CCTV monitoring, and burglar alarms. Additionally, the Microsoft Azure data centers where the FastDraft platform is hosted employ robust physical security measures including biometric access controls, 24/7 security personnel, and environmental controls to protect against natural disasters and unauthorized access. These measures are in compliance with ISO 27001 and other relevant standards, ensuring a secure physical environment for both personnel and data. |
| Are physical security perimeters established between administrative and business areas, data storage, and processing facilities? |
Yes, Built Intelligence has established physical security perimeters between administrative and business areas, data storage, and processing facilities. Our physical security measures include controlled access points, CCTV surveillance, and secure areas designated for sensitive data handling and processing. These controls are in place at both our office locations and the Microsoft Azure data centers where the FastDraft platform is hosted, ensuring compliance with ISO 27001 and Cyber Essentials Plus standards. |
| Is equipment identification used as a method for connection authentication? | Yes, Built Intelligence enforces strong identity and access controls for administrative and internal access to the FastDraft platform, which includes device-level trust policies. Managed endpoints are enrolled in secure device management systems, and equipment identification (such as certificates and endpoint compliance checks) is used to authenticate internal connections. All administrative access to Azure-hosted infrastructure is gated through multi-factor authentication (MFA), conditional access policies, and device identity recognition to support a zero-trust architecture. |
| Are solely authorized personnel able to access secure areas, with all ingress and egress areas restricted, documented, and monitored by physical access control mechanisms? |
Yes, solely authorized personnel are able to access secure areas at Built Intelligence. All ingress and egress areas are restricted, documented, and monitored by physical access control mechanisms such as CCTV, burglar alarms, and locked secure areas. Access to these areas is specifically requested, authorized, and monitored, ensuring that only authorized personnel have access. |
| Are access control records retained periodically, as deemed appropriate by the organization? |
Yes, FastDraft retains access control records periodically as deemed appropriate by the organization, in alignment with our ISO 27001 certified Information Security Management System (ISMS). These records are maintained in accordance with defined retention policies and are regularly reviewed to ensure compliance with regulatory and contractual obligations. |
| Are external perimeter datacenter surveillance systems and surveillance systems at all ingress and egress points implemented, maintained, and operated? |
Yes, the FastDraft platform, hosted in Microsoft Azure data centers, benefits from Azure's comprehensive security measures which include external perimeter datacenter surveillance systems and surveillance at all ingress and egress points. These security measures are maintained and operated continuously to ensure the integrity and security of the infrastructure. Azure's security compliance is validated by certifications such as ISO 27001 and SOC 1/2/3, ensuring best practices in physical security and data protection. |
| Are datacenter personnel trained to respond to unauthorized access or egress attempts? |
Yes, Microsoft Azure data centers, where the FastDraft platform is hosted, have personnel trained to respond to unauthorized access or egress attempts. Azure data centers are staffed with security personnel who are trained in physical security measures and emergency response. They follow strict access control protocols and surveillance to prevent and respond to security incidents effectively. This aligns with compliance standards such as ISO 27001 and SOC 1/2/3, ensuring a high level of security for our hosted services. |
| Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure risk-based protection of power and telecommunication cables from interception, interference, or damage threats at all facilities, offices, and rooms? |
Yes, Built Intelligence has defined, implemented, and evaluated processes, procedures, and technical measures to ensure risk-based protection of power and telecommunication cables from interception, interference, or damage threats at all facilities, offices, and rooms. These measures are aligned with ISO 27001 standards and include physical security controls such as secure cable routing, access controls, and environmental protections. Additionally, our hosting on Microsoft Azure ensures further protection through their compliance with global security standards and physical security measures at their data centers. |
| Are data center environmental control systems designed to monitor, maintain, and test that on-site temperature and humidity conditions fall within accepted industry standards effectively implemented and maintained? |
Yes, FastDraft is hosted on Microsoft Azure, which implements and maintains environmental control systems in its data centers. These systems are designed to monitor, maintain, and test that on-site temperature and humidity conditions fall within accepted industry standards such as ASHRAE guidelines. Azure data centers are equipped with advanced HVAC and cooling systems to manage environmental conditions, ensuring optimal performance and reliability of hosted services. Azure's compliance with global standards, including ISO 27001, further supports the effective implementation and maintenance of these controls. |
| Are utility services secured, monitored, maintained, and tested at planned intervals for continual effectiveness? |
Yes, utility services within the FastDraft platform, hosted on Microsoft Azure, are secured, monitored, maintained, and tested at planned intervals to ensure continual effectiveness. Azure provides robust security measures, automated monitoring, and maintenance capabilities. Regular testing, including penetration testing and vulnerability assessments, is conducted to ensure the security and resilience of our services. These practices are aligned with our ISO 27001 certification and Azure's compliance standards. |
| Is business-critical equipment segregated from locations subject to a high probability of environmental risk events? |
Yes, FastDraft is hosted on Microsoft Azure, which ensures that business-critical equipment is segregated from locations subject to high probability of environmental risk events. Azure data centers are strategically located worldwide with built-in redundancy and disaster recovery capabilities, including geographic distribution to mitigate risks from environmental threats. Azure's infrastructure complies with global standards such as ISO 27001, ensuring high levels of physical and environmental security. |
| Are policies and procedures established, documented, approved, communicated, enforced, evaluated, and maintained for the classification, protection, and handling of data throughout its lifecycle according to all applicable laws and regulations, standards, and risk level? |
Yes, Built Intelligence has established, documented, approved, communicated, enforced, evaluated, and maintained policies and procedures for the classification, protection, and handling of data throughout its lifecycle. These policies align with applicable laws and regulations, standards, and the assessed risk level. Our Information Security Management System (ISMS), certified under ISO 27001, outlines these procedures, which include data classification, handling, storage, transmission, and destruction protocols. Compliance with these policies is regularly reviewed and audited to ensure continuous improvement and adherence to legal and regulatory requirements. |
| Are data security and privacy policies and procedures reviewed and updated at least annually? |
Yes, Built Intelligence reviews and updates data security and privacy policies and procedures at least annually in alignment with our ISO 27001 certification requirements. This ensures ongoing compliance with evolving data protection laws and industry best practices, including GDPR and Cyber Essentials Plus standards. |
| Are industry-accepted methods applied for secure data disposal from storage media so information is not recoverable by any forensic means? |
Yes, Built Intelligence applies industry-accepted methods for secure data disposal from storage media, ensuring that information is not recoverable by any forensic means. This includes the use of data wiping software that adheres to standards such as NIST 800-88, which specifies methods for media sanitization to ensure that data is irrecoverable. Additionally, physical destruction of storage media is employed when necessary. These practices are part of our ISO 27001 compliant Information Security Management System (ISMS) and align with our data protection and privacy policies. |
| Is a data inventory created and maintained for sensitive and personal information (at a minimum)? |
Yes, Built Intelligence maintains a data inventory for sensitive and personal information as part of our ISO 27001 certified Information Security Management System (ISMS). This inventory includes details such as data type, classification, owner, and storage location, ensuring compliance with data protection laws and regulations. |
| Is data classified according to type and sensitivity levels? | Yes, Built Intelligence classifies data according to type, sensitivity levels, and legal requirements. We use a three-tier classification system: Confidential, Restricted, and Public, to ensure appropriate protection measures are applied based on the sensitivity and value of the information. This classification process is part of our ISO 27001 compliant Information Security Management System (ISMS), ensuring data is handled and protected according to its classification. |
| Is data flow documentation created to identify what data is processed and where it is stored and transmitted? |
Yes, FastDraft maintains comprehensive data flow documentation that identifies what data is processed, where it is stored, and how it is transmitted. This documentation is part of our Information Security Management System (ISMS) and aligns with ISO 27001 standards. It includes details on data handling within the Microsoft Azure infrastructure, ensuring data integrity and security through encrypted storage and secure data transmission protocols. |
| Is data flow documentation reviewed at defined intervals, at least annually, and after any change? |
Yes, data flow documentation is reviewed at defined intervals, at least annually, and after any significant change to ensure ongoing compliance and accuracy. This review process is part of our operational controls and is documented in our Information Security Management System (ISMS), aligning with ISO 27001 standards. |
| Is the ownership and stewardship of all relevant personal and sensitive data documented? |
Yes, Built Intelligence documents the ownership and stewardship of all relevant personal and sensitive data as part of our ISO 27001 certified Information Security Management System (ISMS). This documentation includes roles and responsibilities for data protection and privacy, ensuring compliance with GDPR and other relevant data protection laws. |
| Is data ownership and stewardship documentation reviewed at least annually? | Yes, data ownership and stewardship documentation is reviewed at least annually. This review is part of our compliance with ISO 27001 standards, ensuring that all documentation is current and reflects any changes in data management practices or regulatory requirements. This process is managed by our compliance team and includes updates to reflect any changes in the Microsoft Azure platform that we use for hosting the FastDraft platform. |
| Are systems, products, and business practices based on security principles by design and per industry best practices? |
Yes, FastDraft's systems, products, and business practices are based on security principles by design and adhere to industry best practices. We follow a structured Software Development Life Cycle (SDLC) that incorporates security from the initial design through development, testing, and deployment. Our platform is hosted on Microsoft Azure, which aligns with global security standards such as ISO 27001 and SOC 2 Type 2. We implement security controls and practices such as data encryption, regular penetration testing, and compliance with GDPR and other relevant regulations to ensure the security and integrity of our services and customer data. |
| Are systems, products, and business practices based on privacy principles by design and according to industry best practices? |
Yes, FastDraft is designed and operated based on privacy principles by design and according to industry best practices. Our platform, hosted on Microsoft Azure, adheres to privacy by design principles, ensuring that privacy is integrated into the system development process. We follow industry best practices such as data minimization, encryption, and access controls, aligning with standards like ISO 27001 and GDPR. Our privacy practices are regularly reviewed and updated to comply with evolving regulations and standards. |
| Are systems' privacy settings configured by default and according to all applicable laws and regulations? |
Yes, FastDraft's systems' privacy settings are configured by default to comply with all applicable laws and regulations, including GDPR and UK GDPR. Our platform is hosted on Microsoft Azure, which provides built-in compliance and privacy features that we leverage to ensure data protection and privacy by design and by default. |
| Is a data protection impact assessment (DPIA) conducted when processing personal data and evaluating the origin, nature, particularity, and severity of risks according to any applicable laws, regulations and industry best practices? |
Yes, Built Intelligence conducts a Data Protection Impact Assessment (DPIA) when processing personal data, particularly when introducing new technologies or data processing activities that are likely to result in a high risk to the rights and freedoms of individuals. This assessment considers the origin, nature, particularity, and severity of the risk in accordance with GDPR requirements and industry best practices. Our DPIA process is aligned with our ISO 27001 certified Information Security Management System (ISMS) and includes consultation with stakeholders, risk assessment, mitigation measures, and compliance checks with applicable laws and regulations. |
| Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope (as permitted by respective laws and regulations)? |
Yes, Built Intelligence has defined, implemented, and regularly evaluates processes, procedures, and technical measures to ensure the protection of personal and sensitive data during transfer. These measures comply with relevant laws and regulations, including GDPR. Data transfers are secured using encryption protocols such as TLS 1.2 or higher, and all data handling practices are aligned with our ISO 27001 certified Information Security Management System (ISMS). Additionally, data transfer agreements, including Standard Contractual Clauses (SCCs), are used when transferring data outside the EEA to ensure compliance with legal requirements. |
| Are processes, procedures, and technical measures defined, implemented, and evaluated to enable data subjects to request access to, modify, or delete personal data (per applicable laws and regulations)? |
Yes, Built Intelligence has defined, implemented, and evaluated processes, procedures, and technical measures that enable data subjects to request access to, modify, or delete their personal data in compliance with applicable laws and regulations such as the GDPR. Our Data Protection Policy outlines the steps data subjects can take to exercise their rights, and our systems are designed to facilitate these requests efficiently. Additionally, our ISO 27001 certification ensures that these processes are regularly reviewed and updated to maintain compliance and protect data subject rights. |
| Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure personal data is processed (per applicable laws and regulations and for the purposes declared to the data subject)? |
Yes, Built Intelligence has defined, implemented, and continuously evaluates processes, procedures, and technical measures to ensure that personal data is processed in compliance with applicable laws and regulations, and strictly for the purposes declared to the data subject. Our adherence to ISO 27001 and GDPR guidelines ensures that all personal data handling aligns with legal requirements and best practices, including data protection impact assessments, regular audits, and strict access controls. |
| Are processes, procedures, and technical measures defined, implemented, and evaluated for the transfer and sub-processing of personal data within the service supply chain (according to any applicable laws and regulations)? |
Yes, Built Intelligence has defined, implemented, and evaluated processes, procedures, and technical measures for the transfer and sub-processing of personal data within the service supply chain, in accordance with applicable laws and regulations such as GDPR. Our ISO 27001 certified Information Security Management System (ISMS) includes controls for data transfer and sub-processing, ensuring compliance with legal and regulatory requirements. We utilize Standard Contractual Clauses (SCCs) for data transfers and conduct regular audits on our sub-processors to ensure they meet our security standards. |
| Are processes, procedures, and technical measures defined, implemented, and evaluated to disclose details to the data owner of any personal or sensitive data access by sub-processors before processing initiation? |
Yes, Built Intelligence has defined, implemented, and regularly evaluates processes, procedures, and technical measures to ensure that details of any personal or sensitive data accessed by sub-processors are disclosed to the data owner before processing initiation. This is in compliance with GDPR requirements and our ISO 27001 certified Information Security Management System (ISMS). Formal agreements with sub-processors include clauses that mandate the disclosure of such details, ensuring transparency and compliance with data protection laws. |
| Is authorization from data owners obtained, and the associated risk managed, before replicating or using production data in non-production environments? |
Yes, Built Intelligence obtains authorization from data owners and manages the associated risks before replicating or using production data in non-production environments. This process is aligned with our ISO 27001 certified Information Security Management System (ISMS), ensuring data protection and compliance with regulatory requirements. |
| Do data retention, archiving, and deletion practices follow business requirements, applicable laws, and regulations? |
Yes, FastDraft's data retention, archiving, and deletion practices are designed to comply with business requirements, applicable laws, and regulations. We align our practices with ISO 27001 standards, ensuring data is handled securely and in compliance with GDPR and other relevant legislation. Data retention periods are defined based on the type of data and its purpose, and we ensure secure deletion of data when it is no longer required or upon request, in accordance with legal obligations and customer agreements. |
| Are processes, procedures, and technical measures defined and implemented to protect sensitive data throughout its lifecycle? |
Yes, Built Intelligence has defined and implemented processes, procedures, and technical measures to protect sensitive data throughout its lifecycle. This includes data classification, access controls, encryption in transit and at rest, and secure data disposal practices. Our measures are aligned with ISO 27001 standards and GDPR requirements, ensuring data protection from creation and storage to transmission and deletion. |
| Does the CSP have in place, and describe to CSCs, the procedure to manage and respond to requests for disclosure of Personal Data by Law Enforcement Authorities according to applicable laws and regulations? |
Yes, Built Intelligence has established procedures to manage and respond to requests for disclosure of Personal Data by Law Enforcement Authorities in accordance with applicable laws and regulations. These procedures are part of our ISO 27001 certified Information Security Management System (ISMS) and are aligned with GDPR requirements. The process ensures that all requests are legally validated, documented, and handled in a manner that upholds the privacy and security of the data subject's information. |
| Does the CSP give special attention to the notification procedure to interested CSCs, unless otherwise prohibited, such as a prohibition under criminal law to preserve confidentiality of a law enforcement investigation? |
Yes, Built Intelligence ensures that the notification procedure to interested CSCs is given special attention, unless prohibited by law, such as in cases where confidentiality of a law enforcement investigation must be preserved. This is in compliance with our ISO 27001 certified Information Security Management System, which includes procedures for handling such legal constraints while ensuring transparency and communication with relevant stakeholders. |
| Are processes, procedures, and technical measures defined and implemented to specify and document physical data locations, including locales where data is processed or backed up? |
Yes, Built Intelligence has defined and implemented processes, procedures, and technical measures to specify and document physical data locations, including locales where data is processed or backed up. Our FastDraft platform is hosted on Microsoft Azure, utilizing data centers located in UK South, UK North, and West Europe to ensure data residency and compliance with local regulations such as GDPR. Data processing and backup locations are clearly documented in our internal ISMS policies and Azure's comprehensive compliance documentation. Additionally, Azure provides geo-redundant storage (GRS) to ensure data durability and high availability, which is part of our business continuity and disaster recovery strategies. |
| Are information governance program policies and procedures sponsored by organizational leadership established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained information governance program policies and procedures, sponsored by organizational leadership. These are integral to our ISO 27001 certified Information Security Management System (ISMS) and are regularly reviewed and updated to ensure they remain effective and compliant with relevant standards and regulations. |
| Are the policies and procedures reviewed and updated at least annually? | Yes, our policies and procedures are reviewed and updated at least annually to ensure they remain effective and compliant with current regulations and standards. This regular review process is part of our commitment to maintaining robust security and compliance standards across our platform and operations. |
| Is there an established formal, documented, and leadership-sponsored enterprise risk management (ERM) program that includes policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks? |
Yes, Built Intelligence has an established formal, documented, and leadership-sponsored enterprise risk management (ERM) program that includes policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks. This program is integrated into our ISO 27001 certified Information Security Management System (ISMS), ensuring comprehensive management of all security and privacy risks associated with our cloud operations hosted on Microsoft Azure. The program includes regular risk assessments, mitigation strategies, and continuous monitoring to ensure the effectiveness of the controls in place. |
| Are all relevant organizational policies and associated procedures reviewed at least annually, or when a substantial organizational change occurs? |
Yes, all relevant organizational policies and associated procedures are reviewed at least annually or when a substantial organizational change occurs. This is in line with our commitment to maintaining a robust Information Security Management System (ISMS) and ensuring continuous improvement. The review process is documented and involves key stakeholders to ensure that all aspects of the organization's operations are considered. |
| Is an approved exception process mandated by the governance program established and followed whenever a deviation from an established policy occurs? |
Yes, an approved exception process is mandated by the governance program and is followed whenever there is a deviation from an established policy. This process ensures that all exceptions are documented, reviewed, and approved by the appropriate authorities within the organization, maintaining the integrity and compliance of our security and operational standards. |
| Has an information security program (including programs of all relevant CCM domains) been developed and implemented? |
Yes, Built Intelligence has developed and implemented an information security program that encompasses all relevant Cloud Control Matrix (CCM) domains. This program is aligned with our ISO 27001 certified Information Security Management System (ISMS), ensuring comprehensive coverage of security controls, risk management processes, and compliance requirements. The program includes policies and procedures for access control, incident response, data protection, and continuous improvement, among others, to safeguard our multi-tenant PaaS solution hosted on Microsoft Azure. |
| Are roles and responsibilities for planning, implementing, operating, assessing, and improving governance programs defined and documented? |
Yes, roles and responsibilities for planning, implementing, operating, assessing, and improving governance programs are defined and documented within our Information Security Management System (ISMS). This documentation includes detailed descriptions of roles such as the Information Security Manager, Information Security Team, and various asset and risk owners, ensuring clear accountability and authority for governance-related activities. This structure supports our commitment to continual improvement and effective governance as part of our ISO 27001 certified processes. |
| Are all relevant standards, regulations, legal/contractual, and statutory requirements applicable to your organization identified and documented? |
Yes, all relevant standards, regulations, legal/contractual, and statutory requirements applicable to our organization are identified and documented. We maintain compliance with industry standards and certifications such as ISO 27001 and Cyber Essentials Plus. Our compliance framework is integrated into our Microsoft Azure-hosted platform, ensuring adherence to legal and regulatory requirements across all operational and infrastructure levels. |
| Is contact established and maintained with cloud-related special interest groups and other relevant entities? |
Yes, Built Intelligence actively establishes and maintains contact with cloud-related special interest groups and other relevant entities to stay updated on the latest trends, best practices, and security standards in cloud computing. This engagement helps us ensure that our FastDraft platform, hosted on Microsoft Azure, aligns with industry-leading practices and complies with relevant regulations. |
| Are background verification policies and procedures of all new employees (including but not limited to remote employees, contractors, and third parties) established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained background verification policies and procedures for all new employees, including remote employees, contractors, and third parties. These procedures are part of our ISO 27001 certified Information Security Management System (ISMS) and are regularly reviewed to ensure compliance and effectiveness in mitigating risks associated with hiring. |
| Are background verification policies and procedures designed according to local laws, regulations, ethics, and contractual constraints and proportional to the data classification to be accessed, business requirements, and acceptable risk? |
Yes, Built Intelligence ensures that background verification policies and procedures are designed according to local laws, regulations, ethics, and contractual constraints. These policies are proportional to the data classification to be accessed, business requirements, and acceptable risk. Our background checks are conducted in compliance with relevant laws such as UK GDPR and are aligned with our ISO 27001 certified Information Security Management System (ISMS), ensuring that personnel handling sensitive data meet security and integrity standards. |
| Are background verification policies and procedures reviewed and updated at least annually? |
Yes, our background verification policies and procedures are reviewed and updated at least annually to ensure they remain effective and compliant with current legal and regulatory requirements. This is part of our commitment to maintaining a secure and trustworthy environment, as outlined in our ISO 27001 certified Information Security Management System (ISMS). |
| Are policies and procedures for defining allowances and conditions for the acceptable use of organizationally-owned or managed assets established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, policies and procedures for defining allowances and conditions for the acceptable use of organizationally-owned or managed assets are established, documented, approved, communicated, applied, evaluated, and maintained. These policies are part of our Information Security Management System (ISMS) and are aligned with ISO 27001 standards, ensuring that all organizational assets are used appropriately and securely. Regular reviews and updates to these policies are conducted to adapt to new security threats and changes in the organization. |
| Are the policies and procedures for defining allowances and conditions for the acceptable use of organizationally-owned or managed assets reviewed and updated at least annually? |
Yes, the policies and procedures for defining allowances and conditions for the acceptable use of organizationally-owned or managed assets are reviewed and updated at least annually. This is part of our commitment to maintaining a robust information security management system (ISMS), as outlined in our ISMS documentation and supported by our adherence to ISO 27001 standards. The review process is managed by our Information Security Team, ensuring that all updates align with the latest security practices and compliance requirements. |
| Are policies and procedures requiring unattended workspaces to conceal confidential data established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained policies and procedures requiring unattended workspaces to conceal confidential data. These policies are part of our ISO 27001 certified Information Security Management System (ISMS) and are regularly reviewed to ensure compliance and effectiveness in protecting confidential information. |
| Are policies and procedures requiring unattended workspaces to conceal confidential data reviewed and updated at least annually? |
Yes, Built Intelligence reviews and updates policies and procedures requiring unattended workspaces to conceal confidential data at least annually. This is part of our ISO 27001 certified Information Security Management System (ISMS), ensuring continuous alignment with best practices for data protection and security. |
| Are policies and procedures to protect information accessed, processed, or stored at remote sites and locations established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, Built Intelligence has established, documented, approved, and communicated policies and procedures to protect information accessed, processed, or stored at remote sites and locations. These policies are part of our ISO 27001 certified Information Security Management System (ISMS) and are regularly evaluated and maintained to ensure compliance and effectiveness. The procedures include secure remote access protocols, data encryption, and the use of VPNs, all monitored and managed within our Microsoft Azure infrastructure, ensuring robust security controls are consistently applied and reviewed. |
| Are policies and procedures to protect information accessed, processed, or stored at remote sites and locations reviewed and updated at least annually? |
Yes, Built Intelligence reviews and updates policies and procedures to protect information accessed, processed, or stored at remote sites and locations at least annually. This is in alignment with our ISO 27001 certification requirements, ensuring that our information security management practices remain robust and effective. |
| Are return procedures of organizationally-owned assets by terminated employees established and documented? |
Yes, the return procedures of organizationally-owned assets by terminated employees are established and documented. These procedures are part of our operational controls and are enforced through our HR and IT departments to ensure compliance and security of assets. |
| Are procedures outlining the roles and responsibilities concerning changes in employment established, documented, and communicated to all personnel? |
Yes, procedures outlining the roles and responsibilities concerning changes in employment are established, documented, and communicated to all personnel within the organization. These procedures are part of our internal security and compliance policies, ensuring that all employees are aware of their roles and responsibilities in the event of employment changes. This includes the management of access rights, responsibilities, and the secure handling of information during transitions. |
| Are employees required to sign an employment agreement before gaining access to organizational information systems, resources, and assets? |
Yes, all employees are required to sign an employment agreement that includes clauses on confidentiality, data protection, and security responsibilities before gaining access to organizational information systems, resources, and assets. This ensures compliance with our security policies and regulatory requirements. |
| Are provisions and/or terms for adherence to established information governance and security policies included within employment agreements? |
Yes, provisions and terms for adherence to established information governance and security policies are included within employment agreements at Built Intelligence. These provisions mandate compliance with our ISO 27001 certified Information Security Management System (ISMS) and are enforced through regular audits and training, ensuring all employees understand their responsibilities regarding information security and governance. |
| Are employee roles and responsibilities relating to information assets and security documented and communicated? |
Yes, Built Intelligence has documented and communicated employee roles and responsibilities relating to information assets and security as part of our Information Security Management System (ISMS), which is compliant with ISO 27001 standards. This documentation includes specific roles such as the Information Security Manager, Asset Owners, and Information Security Risk Owner, each with clearly defined responsibilities and authorities regarding the management and protection of information assets. These roles and their responsibilities are communicated internally through training, policy documents, and our internal communication platforms. |
| Are requirements for non-disclosure/confidentiality agreements reflecting organizational data protection needs and operational details identified, documented, and reviewed at planned intervals? |
Yes, Built Intelligence ensures that requirements for non-disclosure and confidentiality agreements reflect organizational data protection needs and operational details. These agreements are identified, documented, and reviewed at planned intervals in alignment with our ISO 27001 certified Information Security Management System (ISMS). This process includes regular updates to address changes in legal, regulatory, and business environments, ensuring continuous protection of sensitive information and compliance with applicable laws and standards. |
| Is a security awareness training program for all employees of the organization established, documented, approved, communicated, applied, evaluated and maintained? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained a security awareness training program for all employees as part of our ISO 27001 ISMS compliance. This program includes regular training sessions upon induction and annually thereafter, covering the importance of information security, the company's security policies, and employees' roles in maintaining security. The effectiveness of the training is reviewed regularly to ensure it meets our security objectives and compliance requirements. |
| Are regular security awareness training updates provided? | Yes, Built Intelligence provides regular security awareness training updates to all employees as part of our ISO 27001 compliance. Training sessions are conducted annually and whenever significant changes occur in security policies or threats. This ensures that our staff remains informed and vigilant about the latest security practices and threats. |
| Are all employees granted access to sensitive organizational and personal data provided with appropriate security awareness training? |
Yes, all employees granted access to sensitive organizational and personal data are provided with appropriate security awareness training. This training is mandatory upon hiring and is refreshed annually, aligning with our ISO 27001 compliance requirements. The training covers data protection, secure data handling, recognizing phishing attempts, and other security best practices to ensure that all employees are aware of their responsibilities in protecting sensitive information. |
| Are all employees granted access to sensitive organizational and personal data provided with regular updates in procedures, processes, and policies relating to their professional function? |
Yes, all employees at Built Intelligence with access to sensitive organizational and personal data are provided with regular updates in procedures, processes, and policies relating to their professional functions. This is part of our commitment to ISO 27001 and GDPR compliance, ensuring that all staff are aware of and adhere to the latest security practices and data protection requirements. Training is conducted upon hiring and annually thereafter, with additional updates provided as necessary when changes occur. |
| Are employees notified of their roles and responsibilities to maintain awareness and compliance with established policies, procedures, and applicable legal, statutory, or regulatory compliance obligations? |
Yes, all employees at Built Intelligence are notified of their roles and responsibilities to maintain awareness and compliance with established policies, procedures, and applicable legal, statutory, or regulatory compliance obligations. This is ensured through our ISO 27001 certified Information Security Management System (ISMS), which includes mandatory training upon hiring and annual refreshers. Additionally, our internal communication platforms and management oversight ensure continual awareness and adherence to these obligations. |
| Are identity and access management policies and procedures established, documented, approved, communicated, implemented, applied, evaluated, and maintained? |
Yes, identity and access management policies and procedures are established, documented, approved, communicated, implemented, applied, evaluated, and maintained as part of our ISO 27001 certified Information Security Management System (ISMS). These policies cover role-based access control, user account lifecycle management, and regular access reviews, ensuring compliance with security best practices and regulatory requirements. |
| Are identity and access management policies and procedures reviewed and updated at least annually? |
Yes, our identity and access management policies and procedures are reviewed and updated at least annually to ensure they remain effective and compliant with current security standards and regulations. This regular review is part of our commitment to maintaining a robust security posture and is aligned with our ISO 27001 certification requirements. |
| Are strong password policies and procedures established, documented, approved, communicated, implemented, applied, evaluated, and maintained? |
Yes, FastDraft has established, documented, approved, communicated, implemented, applied, evaluated, and maintained strong password policies and procedures. These policies align with the UK National Cyber Security Centre guidance, ensuring robust password complexity, regular changes, and prohibiting password reuse. Additionally, two-factor authentication enhances security for user accounts, especially when accessing from non-trusted networks. These practices are part of our ISO 27001 certified Information Security Management System, ensuring continuous evaluation and improvement of our password management procedures. |
| Are strong password policies and procedures reviewed and updated at least annually? |
Yes, our strong password policies and procedures are reviewed and updated at least annually to align with the latest security best practices and compliance requirements, including guidance from the UK National Cyber Security Centre. This review is part of our ISO 27001 certified Information Security Management System, ensuring that our password policies remain robust and effective in protecting user data and access. |
| Is system identity information and levels of access managed, stored, and reviewed? | Yes, system identity information and levels of access are managed, stored, and reviewed at FastDraft. We utilize Azure Active Directory for identity management and role-based access control (RBAC) to ensure appropriate access levels. Regular reviews and audits of access rights are conducted in line with our ISO 27001 certified Information Security Management System (ISMS) to maintain security and compliance. |
| Is the separation of duties principle employed when implementing information system access? |
Yes, the separation of duties principle is employed in the implementation of information system access at FastDraft. This is achieved through role-based access controls (RBAC) which ensure that access rights are granted according to the roles assigned to users within the organization. This approach minimizes the risk of unauthorized access and ensures that users only have access to the information and functions necessary for their specific roles. Additionally, our Information Security Team, as part of the ISMS, regularly reviews and updates access controls to maintain compliance and security standards. |
| Is the least privilege principle employed when implementing information system access? |
Yes, the least privilege principle is employed in the implementation of information system access at Built Intelligence. We utilize Role-Based Access Control (RBAC) to ensure that users are granted access only to the resources necessary for their roles. This approach is consistently applied across all systems and services, including those managed by subcontractors, in alignment with our ISO 27001 and Cyber Essentials Plus certifications. |
| Is a user access provisioning process defined and implemented which authorizes, records, and communicates data and assets access changes? |
Yes, FastDraft has a defined and implemented user access provisioning process that authorizes, records, and communicates data and assets access changes. This process is integrated with Microsoft Azure's infrastructure, utilizing Azure Active Directory for identity management and access control. Changes in access are logged and monitored through Azure's security and compliance centers, ensuring that all modifications are authorized, recorded, and communicated appropriately. This process is in line with our ISO 27001 and Cyber Essentials Plus certifications, which emphasize the importance of secure access control and audit trails. |
| Is a process in place to de-provision or modify the access, in a timely manner, of movers / leavers or system identity changes, to effectively adopt and communicate identity and access management policies? |
Yes, FastDraft has a process in place to de-provision or modify access for movers, leavers, or system identity changes in a timely manner. This process is part of our identity and access management policies, which are enforced through role-based access controls and automated workflows within the Microsoft Azure infrastructure. Changes in user status are communicated and implemented promptly to ensure that access rights are always current and secure. This capability is supported by Azure Active Directory, which provides robust tools for managing and securing identities. |
| Are reviews and revalidation of user access for least privilege and separation of duties completed with a frequency commensurate with organizational risk tolerance? |
Yes, reviews and revalidation of user access for least privilege and separation of duties are completed with a frequency that aligns with our organizational risk tolerance. These reviews are conducted quarterly as part of our ISO 27001 access control procedures. We ensure that access rights are appropriate, enforce the principle of least privilege, and maintain separation of duties across all user roles. This process is supported by our role-based access control (RBAC) system and is audited regularly to ensure compliance and effectiveness. |
| Are processes, procedures, and technical measures for the segregation of privileged access roles defined, implemented, and evaluated such that administrative data access, encryption, key management capabilities, and logging capabilities are distinct and separate? |
Yes, processes, procedures, and technical measures for the segregation of privileged access roles are defined, implemented, and evaluated within our organization. We ensure that administrative data access, encryption key management, and logging capabilities are distinct and separate. This is managed through role-based access controls (RBAC) and privileged access management (PAM) systems, which enforce the principle of least privilege across our Microsoft Azure-hosted infrastructure. Our approach aligns with ISO 27001 standards and our internal information security policies, ensuring effective segregation of duties and minimizing the risk of unauthorized access or data breaches. |
| Is an access process defined and implemented to ensure privileged access roles and rights are granted for a limited period? |
Yes, an access process is defined and implemented to ensure that privileged access roles and rights are granted for a limited period. Privileges are allocated on a need-to-use and event-by-event basis, with the request for allocation of a privilege initiated and documented by the user concerned to the Asset Owner or Information Security Manager. This documentation sets out the reasons why the privilege is required and the length of time for which it is required. The Information Security Manager retains a log of all privileges authorized and allocated and checks on a regular basis that they have been deactivated as specified in the original request. |
| Are procedures implemented to prevent the culmination of segregated privileged access? |
Yes, FastDraft implements procedures to prevent the culmination of segregated privileged access. We utilize role-based access control (RBAC) within Microsoft Azure to enforce strict segregation of duties. Each role is defined with specific permissions that limit access to necessary resources only. Additionally, Azure Active Directory (AAD) is used for identity management, ensuring that access rights are granted based on the principle of least privilege. These controls are audited regularly to ensure compliance with our ISO 27001 and Cyber Essentials Plus certifications. |
| Are processes and procedures for customers to participate, where applicable, in granting access for agreed, high risk as (defined by the organizational risk assessment) privileged access roles defined, implemented and evaluated? |
Yes, Built Intelligence has defined, implemented, and regularly evaluates processes and procedures for customers to participate in granting access for high-risk privileged access roles, as defined by our organizational risk assessment. These procedures are aligned with ISO 27001 standards and include customer involvement where applicable, ensuring that access is granted following strict guidelines and oversight. |
| Are processes, procedures, and technical measures to ensure the logging infrastructure is "read-only" for all with write access (including privileged access roles) defined, implemented, and evaluated? |
Yes, processes, procedures, and technical measures are defined, implemented, and evaluated to ensure that the logging infrastructure is "read-only" for all users, including those with privileged access roles. Our system administrators are prohibited from erasing or deactivating logs of their own activities. Audit log reports are classified as confidential information and must be handled in line with our Information Security Management System (ISMS) requirements. Controls have been implemented to protect against unauthorized changes, alterations, editing, deletion, and overwriting of log information. System logs are securely stored and archived in line with record retention requirements, ensuring compliance with our ISO 27001 and Cyber Essentials Plus certifications. |
| Is the ability to disable the "read-only" configuration of logging infrastructure controlled through a procedure that ensures the segregation of duties and break glass procedures? |
Yes, the ability to disable the "read-only" configuration of logging infrastructure is controlled through a procedure that ensures the segregation of duties and break glass procedures. This is managed through role-based access controls and audit policies within Microsoft Azure, ensuring that only authorized personnel with specific roles can make such changes. Additionally, any changes to the logging configuration are logged and monitored to ensure compliance with our security policies and procedures. |
| Are processes, procedures, and technical measures that ensure users are identifiable through unique identification (or can associate individuals with user identification usage) defined, implemented, and evaluated? |
Yes, FastDraft implements processes, procedures, and technical measures that ensure users are uniquely identifiable through user identification. This is achieved through the use of Microsoft Azure Active Directory (Azure AD) for identity management, which supports unique user identification and authentication. We regularly evaluate these measures to ensure compliance with security best practices and our ISO 27001 certification requirements. This includes regular audits, reviews, and updates to our identity management protocols to maintain the integrity and security of user identification. |
| Are processes, procedures, and technical measures for authenticating access to systems, application, and data assets including multifactor authentication for a least-privileged user and sensitive data access defined, implemented, and evaluated? |
Yes, processes, procedures, and technical measures for authenticating access to systems, applications, and data assets are defined, implemented, and evaluated at FastDraft. We utilize Microsoft Azure's infrastructure capabilities to enforce multifactor authentication (MFA) and role-based access control (RBAC) to ensure that access is granted based on the principle of least privilege. Azure Active Directory (Azure AD) is used to manage identities and enforce authentication policies, including MFA, particularly for accessing sensitive data. These measures are regularly reviewed and updated to comply with our security policies and industry best practices, including ISO 27001 and Cyber Essentials Plus standards. |
| Are digital certificates or alternatives that achieve an equivalent security level for system identities adopted? |
Yes, FastDraft adopts digital certificates and alternatives that achieve an equivalent security level for system identities. We utilize Microsoft Azure's infrastructure, which includes Azure Key Vault for managing secrets and certificates securely. Additionally, our implementation of Single Sign-On (SSO) and Multi-Factor Authentication (MFA) across all modules and functional areas further enhances the security of system identities. These measures align with industry best practices and compliance standards, ensuring robust security for system identities within our platform. |
| Are processes, procedures, and technical measures for the secure management of passwords defined, implemented, and evaluated? |
Yes, FastDraft has defined, implemented, and regularly evaluates processes, procedures, and technical measures for the secure management of passwords. These measures are aligned with the UK National Cyber Security Centre guidance and include the use of strong, unique passwords, regular password changes, and multi-factor authentication. Additionally, password management is supported by Auth0's IDaaS platform, which provides features such as password strength monitoring and one-time passwords. These practices are part of our ISO 27001 compliant Information Security Management System, ensuring robust security controls and continuous improvement. |
| Are processes, procedures, and technical measures to verify access to data and system functions authorized, defined, implemented, and evaluated? |
Yes, Built Intelligence has defined, implemented, and regularly evaluates processes, procedures, and technical measures to verify and authorize access to data and system functions. Our access control procedures are aligned with ISO 27001 standards and include role-based access controls (RBAC), multi-factor authentication (MFA), and regular access reviews to ensure that access rights are appropriate and up-to-date. These measures are supported by Microsoft Azure's infrastructure, which provides advanced security features such as Azure Active Directory for identity management and Azure Role-Based Access Control. We conduct regular audits and reviews to ensure compliance and effectiveness of these controls. |
| Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained for communications between application services (e.g., APIs)? |
Yes, FastDraft has established, documented, approved, communicated, applied, evaluated, and maintained policies and procedures for communications between application services, including APIs. These are governed by our comprehensive Information Security Management System (ISMS), which aligns with ISO 27001 standards. Our API documentation, which is available upon request, details the security measures and protocols in place to ensure secure and effective communication between services. This includes authentication, authorization, encryption, and secure data transmission standards. Additionally, our use of Microsoft Azure infrastructure provides built-in security controls and compliance frameworks to further safeguard these communications. |
| Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained for information processing interoperability? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained policies and procedures for information processing interoperability. These are aligned with ISO 27001 standards and are part of our Information Security Management System (ISMS). Interoperability procedures ensure that our systems, including FastDraft, effectively interact with other systems, both internally and with third-party services, maintaining security and functionality. These procedures are regularly reviewed and updated to adapt to new technological and business requirements. |
| Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained for application development portability? |
Yes, FastDraft has established, documented, approved, communicated, applied, evaluated, and maintained policies and procedures for application development portability. These are outlined in our Information Security Management System (ISMS) and adhere to ISO 27001 standards. Our development practices ensure that FastDraft's application is built on Microsoft Azure PaaS, supporting scalability and flexibility across different environments, which is critical for maintaining portability. These procedures are regularly reviewed and updated to align with evolving security standards and technological advancements. |
| Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained for information/data exchange, usage, portability, integrity, and persistence? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained policies and procedures for information and data exchange, usage, portability, integrity, and persistence. These are aligned with ISO 27001 standards and are part of our Information Security Management System (ISMS), ensuring compliance with data protection laws and regulations. Our procedures include secure data transfer protocols, data integrity checks, and measures for maintaining data persistence, all regularly reviewed and updated to address emerging security threats and technological changes. |
| Are interoperability and portability policies and procedures reviewed and updated at least annually? |
Yes, interoperability and portability policies and procedures are reviewed and updated at least annually to ensure they align with current technological standards and business requirements. This regular review is part of our commitment to maintaining ISO 27001 standards and ensuring our systems and services remain efficient, secure, and compliant with industry best practices. |
| Are CSCs able to programmatically retrieve their data via an application interface(s) to enable interoperability and portability? |
Yes, FastDraft supports interoperability and portability by allowing CSCs to programmatically retrieve their data via application interfaces. Our platform provides robust API access that enables seamless integration with other systems, ensuring that data can be efficiently exchanged and utilized across different platforms. This capability is supported by our use of Microsoft Azure PaaS services, which ensure secure and scalable interactions with external applications. |
| Are cryptographically secure and standardized network protocols implemented for the management, import, and export of data? |
Yes, FastDraft implements cryptographically secure and standardized network protocols for the management, import, and export of data. We use TLS 1.2 or higher for all data in transit and AES-256 encryption for data at rest, ensuring compliance with industry standards and best practices. These protocols are part of our ISO 27001 certified Information Security Management System, ensuring secure and standardized handling of data across our platform. |
| Do agreements include provisions specifying CSC data access upon contract termination, and have the following? a. Data format b. Duration data will be stored c. Scope of the data retained and made available to the CSCs d. Data deletion policy |
Yes, Built Intelligence includes comprehensive data exit and retention provisions in all customer contracts for the FastDraft platform. Upon contract termination, customers (CSC) can request a copy of their data in commonly used formats such as SQL backups, CSV exports, or structured JSON files (a). Data is retained as per the agreed rentention policies in the contract (b). The scope of accessible data includes all user-generated content, file uploads, and transaction records associated with the customer’s project(s) (c). After the retention window, data is securely deleted following our documented data deletion policy, which complies with ISO 27001 and GDPR requirements (d). |
| Are infrastructure and virtualization security policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained infrastructure and virtualization security policies and procedures. These are outlined in our ISMS documents, specifically ISMS DOC TEC01, which covers operations including change management, capacity management, and protection against malware. Our policies are regularly reviewed and updated to align with emerging risks and changes in the business environment, ensuring compliance with ISO 27001 standards. |
| Are infrastructure and virtualization security policies and procedures reviewed and updated at least annually? |
Yes, Built Intelligence reviews and updates infrastructure and virtualization security policies and procedures at least annually, in alignment with our ISO 27001 certification requirements. This ensures that our policies remain effective and compliant with current security standards and best practices. |
| Is resource availability, quality, and capacity planned and monitored in a way that delivers required system performance, as determined by the business? |
Yes, resource availability, quality, and capacity are planned and monitored to ensure required system performance as determined by the business. This is managed through Microsoft Azure's capabilities such as autoscaling, load balancing, and performance monitoring tools, ensuring that FastDraft meets the performance standards set by our business requirements. Azure's infrastructure provides detailed insights and analytics that help us maintain optimal performance and resource allocation. |
| Are communications between environments monitored? | Yes, communications between environments in FastDraft are monitored. We utilize Azure's native capabilities such as Azure Monitor and Azure Security Center to oversee and manage the traffic and activities between our environments. This ensures that any unusual or unauthorized activities are detected and addressed promptly, maintaining the integrity and security of our data and services. |
| Are communications between environments encrypted? | Yes, communications between environments in FastDraft are encrypted. We utilize Microsoft Azure's built-in security controls, including TLS/SSL protocols, to ensure that all data in transit is securely encrypted. This aligns with industry best practices and compliance standards such as ISO 27001, which we are certified under. |
| Are communications between environments restricted to only authenticated and authorized connections, as justified by the business? |
Yes, communications between environments in the FastDraft platform are restricted to only authenticated and authorized connections. This is enforced through role-based access controls and secure communication protocols implemented within the Microsoft Azure infrastructure. Azure's built-in security controls, including network security groups and application gateways, ensure that only legitimate and authorized traffic is allowed between different segments of our environment, aligning with business justifications and compliance requirements. |
| Are network configurations reviewed at least annually? | Yes, network configurations for FastDraft are reviewed at least annually. This review is part of our ISO 27001 compliant Information Security Management System (ISMS) processes, which include regular audits and assessments of our network infrastructure hosted on Microsoft Azure. These reviews ensure that configurations are optimized for security, performance, and compliance with current industry standards and best practices. |
| Are network configurations supported by the documented justification of all allowed services, protocols, ports, and compensating controls? |
Yes, all network configurations in FastDraft are supported by documented justifications for all allowed services, protocols, ports, and compensating controls. These configurations are aligned with our ISO 27001 certified Information Security Management System (ISMS) and are regularly reviewed to ensure they meet security best practices and compliance requirements. Changes to network configurations are managed through our change control process, ensuring that any modifications are justified, documented, and approved by relevant authorities. |
| Is every host and guest OS, hypervisor, or infrastructure control plane hardened (according to their respective best practices) and supported by technical controls as part of a security baseline? |
Yes, FastDraft is hosted on Microsoft Azure, where the host and guest OS, hypervisors, and infrastructure control planes are hardened according to their respective best practices. Azure follows a rigorous security baseline that includes regular updates, patch management, and compliance with international security standards such as ISO 27001, SOC 1/2/3, and PCI DSS. Technical controls implemented include network segmentation, access controls, threat detection, and response mechanisms, ensuring a robust security posture for the hosted services. |
| Are production and non-production environments separated? | Yes, FastDraft ensures that production and non-production environments are separated. This separation is maintained within the Microsoft Azure infrastructure, which provides distinct and secure environments for different stages of application deployment, including development, testing, and production. This approach aligns with best practices for security and operational efficiency, ensuring that testing and development activities do not impact the production environment. |
| Are applications and infrastructures designed, developed, deployed, and configured such that CSP and CSC (tenant) user access and intra-tenant access is appropriately segmented, segregated, monitored, and restricted from other tenants? |
Yes, FastDraft's multi-tenant PaaS solution hosted on Microsoft Azure ensures that user access and intra-tenant access are appropriately segmented, segregated, monitored, and restricted from other tenants. We utilize Azure's built-in security controls and services such as Azure Active Directory for identity management and access control, and Azure Virtual Networks to isolate network traffic between tenants. Additionally, role-based access controls (RBAC) are implemented to ensure that users can only access resources necessary for their role. Monitoring and logging are handled by Azure Monitor and Azure Security Center, providing visibility and proactive security alerts. This architecture aligns with our ISO 27001 certification requirements regarding information security management. |
| Are secure and encrypted communication channels including only up-to-date and approved protocols used when migrating servers, services, applications, or data to cloud environments? |
Yes, FastDraft utilizes secure and encrypted communication channels, including only up-to-date and approved protocols, when migrating servers, services, applications, or data to cloud environments. We employ TLS 1.2 or higher for all data in transit and AES-256 encryption for data at rest, strictly adhering to Microsoft Azure's security standards. This ensures compliance with industry best practices and regulatory requirements for data protection. |
| Are high-risk environments identified and documented? | Yes, high-risk environments within the FastDraft platform are identified and documented as part of our ISO 27001 compliant Information Security Management System (ISMS). This includes detailed risk assessments and mitigation strategies for environments handling sensitive data, ensuring robust security controls and compliance with regulatory requirements. |
| Are processes, procedures, and defense-in-depth techniques defined, implemented, and evaluated for protection, detection, and timely response to network-based attacks? |
Yes, Built Intelligence has defined, implemented, and continuously evaluates processes, procedures, and defense-in-depth techniques for the protection, detection, and timely response to network-based attacks. Our security strategy is aligned with ISO 27001 standards and leverages Microsoft Azure's robust security features, including Azure Firewall, Network Security Groups (NSGs), and Azure Sentinel for comprehensive monitoring and threat detection. We conduct regular security assessments, penetration testing, and real-time monitoring to ensure rapid response to any network-based threats, maintaining the integrity and availability of the FastDraft platform. |
| Are logging and monitoring policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, logging and monitoring policies and procedures are established, documented, approved, communicated, applied, evaluated, and maintained as per our ISMS documentation. These procedures are integral to our operations and compliance with security standards, including ISO 27001. We utilize Azure's native capabilities such as Azure Monitor and Azure Security Center to ensure comprehensive logging and real-time monitoring. These tools help us maintain and manage the security and performance of our infrastructure effectively. |
| Are policies and procedures reviewed and updated at least annually? | Yes, our policies and procedures are reviewed and updated at least annually to ensure they remain effective and compliant with current regulations and standards. This is part of our commitment to maintaining robust security and compliance frameworks, as outlined in our internal documentation and supported by our ISO 27001 certification. |
| Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure audit log security and retention? |
Yes, Built Intelligence has defined, implemented, and continuously evaluates processes, procedures, and technical measures to ensure the security and retention of audit logs. These measures are aligned with ISO 27001 standards and include secure storage, restricted access, regular reviews, and real-time monitoring to detect and respond to anomalies. Logs are retained according to defined schedules that comply with legal and regulatory requirements, ensuring both the integrity and availability of audit data. |
| Are security-related events identified and monitored within applications and the underlying infrastructure? |
Yes, security-related events are identified and monitored within the FastDraft application and the underlying Microsoft Azure infrastructure. We utilize Azure Security Center and Azure Monitor to continuously track and manage security events, including unauthorized access attempts, system changes, and potential security threats. This proactive monitoring aligns with our ISO 27001 certified Information Security Management System (ISMS) and helps ensure the integrity and security of both the application and infrastructure layers. |
| Is a system defined and implemented to generate alerts to responsible stakeholders based on security events and their corresponding metrics? |
Yes, Built Intelligence has implemented a system to generate alerts to responsible stakeholders based on security events and their corresponding metrics. This system is integrated within our Microsoft Azure hosting environment and utilizes Azure Security Center and Azure Monitor. These tools provide comprehensive monitoring, threat detection, and alerting capabilities. Alerts are configured to notify designated security personnel and stakeholders via email and SMS based on predefined security events and metrics thresholds. This ensures timely and effective response to potential security incidents, aligning with our ISO 27001 and Cyber Essentials Plus standards. |
| Is access to audit logs restricted to authorized personnel, and are records maintained to provide unique access accountability? |
Yes, access to audit logs in the FastDraft platform is restricted to authorized personnel only, and records are maintained to ensure unique access accountability. We use role-based access controls (RBAC) to enforce strict access permissions, and all access to audit logs is logged and monitored to provide an auditable trail of who accessed what information and when. This aligns with our ISO 27001 and Cyber Essentials Plus certifications, ensuring compliance with industry best practices for data security and access control. |
| Are security audit logs monitored to detect activity outside of typical or expected patterns? |
Yes, security audit logs within FastDraft are monitored to detect activities that deviate from typical or expected patterns. We utilize Microsoft Azure's monitoring tools, including Azure Monitor and Azure Security Center, to continuously analyze log data for anomalies and suspicious activities. These tools help us ensure that any unusual patterns are quickly identified and investigated by our security team, aligning with our ISO 27001 and Cyber Essentials Plus standards for proactive threat detection and response. |
| Is a process established and followed to review and take appropriate and timely actions on detected anomalies? |
Yes, Built Intelligence has established and follows a process to review and take appropriate and timely actions on detected anomalies. This process is part of our ISO 27001 certified Information Security Management System (ISMS), which includes monitoring, detection, and response procedures for anomalies and events that could impact security. Anomalies are logged, analyzed, and escalated according to predefined severity levels, ensuring rapid and effective response to potential security incidents. |
| Is a reliable time source being used across all relevant information processing systems? |
Yes, FastDraft utilizes Microsoft Azure's infrastructure, which includes synchronization with reliable time sources for all information processing systems. This ensures that all operations and transactions within the FastDraft platform are timestamped accurately, maintaining consistency and reliability across the service. |
| Are logging requirements for information meta/data system events established, documented, and implemented? |
Yes, FastDraft has established, documented, and implemented logging requirements for information metadata and system events. We utilize Microsoft Azure's infrastructure capabilities, including Azure Monitor and Azure Log Analytics, to ensure comprehensive logging across all system and user activities. These logs include user access events, system changes, and data transactions, which are retained according to our data retention policies outlined in our security and compliance documentation. |
| Is the scope reviewed and updated at least annually, or whenever there is a change in the threat environment? |
Yes, the scope of the Information Security Management System (ISMS) is reviewed and updated at least annually or whenever there is a change in the threat environment, as per the requirements outlined in our ISMS documentation. This ensures that our security measures remain effective and aligned with current risks. |
| Are audit records generated, and do they contain relevant security information? | Yes, audit records are generated and contain relevant security information. These records include user activity, authentication events, system changes, and access to sensitive data. We use Azure Monitor and Microsoft Defender for Cloud to ensure comprehensive logging and monitoring, supporting security, compliance, and operational visibility. |
| Does the information system protect audit records from unauthorized access, modification, and deletion? |
Yes, the FastDraft platform protects audit records from unauthorized access, modification, and deletion. We utilize Microsoft Azure's security controls, including role-based access control (RBAC), encryption, and logging mechanisms, to ensure that audit records are securely managed. Access to audit records is strictly limited to authorized personnel, and all interactions with these records are logged and monitored to prevent and detect any unauthorized activities. |
| Are monitoring and internal reporting capabilities established to report on cryptographic operations, encryption, and key management policies, processes, procedures, and controls? |
Yes, Built Intelligence has established monitoring and internal reporting capabilities to report on cryptographic operations, encryption, and key management policies, processes, procedures, and controls. These capabilities are integrated into our ISO 27001 certified Information Security Management System (ISMS) and are supported by Microsoft Azure's comprehensive security and compliance features. We utilize Azure Key Vault for key management and encryption, ensuring that cryptographic keys are protected and managed securely. Regular audits and reports are conducted to ensure compliance with our internal policies and industry standards. |
| Are key lifecycle management events logged and monitored to enable auditing and reporting on cryptographic keys' usage? |
Yes, key lifecycle management events are logged and monitored to enable auditing and reporting on cryptographic keys' usage. We use Microsoft Azure Key Vault for managing cryptographic keys, which automatically logs all key lifecycle events such as creation, deletion, and access. These logs are integrated with Azure Monitor and Azure Security Center, providing comprehensive monitoring and alerting capabilities to ensure the security and compliance of key management operations. |
| Is physical access logged and monitored using an auditable access control system? |
Yes, physical access is logged and monitored using an auditable access control system. Our facilities, including data centers hosted by Microsoft Azure, implement strict physical security measures. Access logs are maintained and regularly audited in compliance with our ISO 27001 certification requirements, ensuring that all access is appropriately authorized and recorded. |
| Are processes and technical measures for reporting monitoring system anomalies and failures defined, implemented, and evaluated? |
Yes, Built Intelligence has defined, implemented, and continuously evaluates processes and technical measures for reporting monitoring system anomalies and failures. These measures are integrated into our Microsoft Azure-hosted FastDraft platform and are aligned with ISO 27001 standards. We utilize Azure Monitor and Azure Security Center to detect, analyze, and respond to anomalies and failures. Alerts are configured to notify our IT and security teams of potential issues, and incident response procedures are in place to address and mitigate any identified problems. Regular reviews and updates of these processes ensure they remain effective and compliant with our security and operational policies. |
| Are accountable parties immediately notified about anomalies and failures? | Yes, accountable parties are immediately notified about anomalies and failures. Our FastDraft platform, hosted on Microsoft Azure, utilizes Azure Monitor and Azure Alerts to detect and notify relevant personnel of any system anomalies or failures. These tools provide real-time monitoring and alerting capabilities, ensuring that system owners and administrators are promptly informed for quick resolution. This aligns with our operational controls and procedures to maintain system integrity and availability. |
| Are policies and procedures for security incident management, e-discovery, and cloud forensics established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, policies and procedures for security incident management, e-discovery, and cloud forensics are established, documented, approved, communicated, applied, evaluated, and maintained as part of our ISO 27001 certified Information Security Management System (ISMS). These procedures are regularly reviewed and updated to ensure they remain effective and compliant with current standards and regulations. |
| Are policies and procedures reviewed and updated annually? | Yes, our policies and procedures are reviewed and updated annually to ensure compliance with current regulations and industry best practices. This includes updates to our security and compliance policies, operational controls, and procedures, all of which are documented and approved at the executive level. |
| Are policies and procedures for timely management of security incidents established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, Built Intelligence has established, documented, approved, and communicated policies and procedures for the timely management of security incidents. These are maintained and evaluated as part of our ISO 27001 certified Information Security Management System (ISMS). Our incident management procedures ensure that all security incidents are assessed, contained, and remediated effectively. Regular reviews and updates to these procedures are conducted to ensure they remain effective and aligned with emerging security threats and compliance requirements. |
| Are policies and procedures for timely management of security incidents reviewed and updated at least annually? |
Yes, Built Intelligence reviews and updates policies and procedures for the timely management of security incidents at least annually. This is in accordance with our ISO 27001 certified Information Security Management System (ISMS) requirements, ensuring continuous improvement and alignment with emerging risks and changes in the business environment. |
| Is a security incident response plan that includes relevant internal departments, impacted CSCs, and other business-critical relationships (such as supply-chain) established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained a security incident response plan that includes relevant internal departments, impacted CSCs, and other business-critical relationships such as supply-chain. This plan is part of our ISO 27001 certified Information Security Management System (ISMS) and aligns with our incident management document (ISMS DOC ORG08). The plan ensures coordinated response efforts across all necessary parties and is regularly reviewed and tested to ensure its effectiveness and compliance with current security standards and business requirements. |
| Is the security incident response plan tested and updated for effectiveness, as necessary, at planned intervals or upon significant organizational or environmental changes? |
Yes, Built Intelligence regularly tests and updates our security incident response plan to ensure its effectiveness. This is done at planned intervals and upon significant organizational or environmental changes, in alignment with ISO 27001 and Cyber Essentials Plus standards. These updates are based on the outcomes of cyber-attack simulations, risk assessments, and actual incidents to continuously improve our response capabilities. |
| Are information security incident metrics established and monitored? | Yes, Built Intelligence has established and monitors information security incident metrics as part of our ISO 27001 certified Information Security Management System (ISMS). Metrics include the number, type, severity, and resolution times of incidents, which are tracked through our incident management tool, ZenDesk. These metrics are reviewed monthly by the Information Security Manager and reported to the Information Security Team to ensure continuous improvement in our security posture and incident response capabilities. |
| Are processes, procedures, and technical measures supporting business processes to triage security-related events defined, implemented, and evaluated? |
Yes, Built Intelligence has defined, implemented, and continuously evaluates processes, procedures, and technical measures to triage security-related events. These are aligned with our ISO 27001 certified Information Security Management System (ISMS) and include incident identification, assessment, response, and recovery procedures. We utilize Microsoft Azure's security tools like Azure Security Center and Azure Monitor to detect and manage security events effectively. Regular reviews and updates to these processes ensure they remain effective and compliant with current security standards. |
| Are processes, procedures, and technical measures for security breach notifications defined and implemented? |
Yes, Built Intelligence has defined and implemented processes, procedures, and technical measures for security breach notifications as part of our ISO 27001 certified Information Security Management System (ISMS). These include immediate detection and reporting mechanisms, assessment and containment procedures, and timely notification to affected parties and regulatory authorities in compliance with GDPR and other relevant laws. |
| Are security breaches and assumed security breaches reported (including any relevant supply chain breaches) as per applicable SLAs, laws, and regulations? |
Yes, Built Intelligence reports all security breaches and assumed security breaches, including any relevant supply chain breaches, in accordance with applicable Service Level Agreements (SLAs), laws, and regulations. Our incident response plan, aligned with ISO 27001 and GDPR requirements, ensures timely notification to affected parties and regulatory bodies. This process includes immediate investigation, containment, eradication, and recovery actions, with documentation and review to prevent future occurrences. |
| Are points of contact maintained for applicable regulation authorities, national and local law enforcement, and other legal jurisdictional authorities? |
Yes, Built Intelligence maintains points of contact for applicable regulation authorities, national and local law enforcement, and other legal jurisdictional authorities as required under ISO 27001 and Cyber Essentials Plus certifications. This ensures compliance with legal and regulatory requirements and facilitates prompt communication in the event of security incidents or legal inquiries. |
| Are policies and procedures implementing the shared security responsibility model (SSRM) within the organization established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, policies and procedures implementing the shared security responsibility model (SSRM) within the organization are established, documented, approved, communicated, applied, evaluated, and maintained. These are integral to our ISMS and align with Azure's infrastructure capabilities, ensuring both application-level and infrastructure-level security controls are robustly managed. Regular reviews and audits, as per ISO 27001 and Cyber Essentials Plus certifications, ensure continuous improvement and compliance with these policies. |
| Are the policies and procedures that apply the SSRM reviewed and updated annually? | Yes, the policies and procedures that apply to the Security and Risk Management (SSRM) are reviewed and updated annually. This is in line with our commitment to maintaining a robust Information Security Management System (ISMS), as outlined in our internal documentation and leadership directives. The review process ensures that our policies remain effective and compliant with relevant standards and regulations, including ISO 27001 and Cyber Essentials Plus. |
| Is the SSRM applied, documented, implemented, and managed throughout the supply chain for the cloud service offering? |
Yes, the Supplier Security and Risk Management (SSRM) is applied, documented, implemented, and managed throughout the supply chain for our cloud service offering. FastDraft, hosted on Microsoft Azure, adheres to stringent security and compliance frameworks, including ISO 27001 and Cyber Essentials Plus. Azure's infrastructure provides robust security measures such as network segmentation, access controls, and continuous monitoring, which extend to all our suppliers and partners involved in the service delivery. Our operational controls and procedures ensure that all suppliers comply with our security policies and standards, which are regularly reviewed and updated to address emerging threats and vulnerabilities. |
| Is the CSC given SSRM guidance detailing information about SSRM applicability throughout the supply chain? |
Yes, Built Intelligence provides customers with a clear overview of the Shared Security Responsibility Model (SSRM) as it applies to the FastDraft platform. This documentation explains the division of security responsibilities between the customer, Built Intelligence, and Microsoft Azure. Customers are informed of their responsibilities around data access, user management, and project permissions, while Built Intelligence is responsible for infrastructure security, encryption, application-level controls, and vendor management. Additionally, Azure’s role in physical security and infrastructure compliance is outlined, providing transparency across the supply chain. |
| Is the shared ownership and applicability of all CSA CCM controls delineated according to the SSRM for the cloud service offering? |
Yes, the shared ownership and applicability of all Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) controls are delineated according to the Shared Security Responsibility Model (SSRM) for our cloud service offering. FastDraft, hosted on Microsoft Azure, clearly defines the responsibilities between us and our clients. Azure's infrastructure provides robust security measures compliant with CSA CCM, while FastDraft ensures application-level controls are in place and documented as per SSRM guidelines. |
| Is SSRM documentation for all cloud services the organization uses reviewed and validated? |
Yes, SSRM documentation for all cloud services used by the organization is reviewed and validated to ensure compliance with our security and regulatory standards. This includes a thorough assessment of the security measures and controls provided by our cloud service providers, such as Microsoft Azure. We maintain up-to-date certification records, including ISO 27001 and Cyber Essentials Plus, to support our compliance and security posture. |
| Are the portions of the SSRM the organization is responsible for implemented, operated, audited, or assessed? |
Yes, the portions of the Security and Risk Management (SSRM) that the organization is responsible for are implemented, operated, audited, and assessed. This includes adherence to our security policies, regular audits conducted by our internal teams and third-party auditors, and continuous assessments to ensure compliance with standards such as ISO 27001 and Cyber Essentials Plus. Our Information Security Team, led by the CTO and including roles such as the Information Security Manager, oversees these activities to maintain and improve our security posture. |
| Is an inventory of all supply chain relationships developed and maintained? | Yes, Built Intelligence maintains a detailed inventory of all third-party suppliers and service providers involved in delivering the FastDraft platform. This includes vendors providing cloud infrastructure (Microsoft Azure), identity and access management, email delivery (e.g., Mailgun), support services (e.g., Zendesk), and monitoring tools (e.g., Pingdom). Each vendor is assessed for compliance, security, and data protection alignment, and this inventory is reviewed regularly as part of our ISO 27001-certified supplier management process. |
| Are risk factors associated with all organizations within the supply chain periodically reviewed by CSPs? |
Yes, Built Intelligence periodically reviews risk factors associated with all organizations within the supply chain as part of our ISO 27001 certified Information Security Management System (ISMS). This includes regular assessments of suppliers and third-party service providers to ensure compliance with our security requirements and to mitigate potential risks in our supply chain. |
| Do service agreements between CSPs and CSCs (tenants) incorporate at least the following mutually agreed upon provisions and/or terms? • Scope, characteristics, and location of business relationship and services offered • Information security requirements (including SSRM) • Change management process • Logging and monitoring capability • Incident management and communication procedures • Right to audit and third-party assessment • Service termination • Interoperability and portability requirements • Data privacy |
Yes, the service agreements between Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) for FastDraft incorporate the following mutually agreed upon provisions and terms: - **Scope, Characteristics, and Location**: The agreements clearly define the scope of services, characteristics of the service offerings, and the geographical location of data storage and processing, leveraging Microsoft Azure's global infrastructure. - **Information Security Requirements**: These include specific security measures and controls that align with industry standards and certifications such as ISO 27001 and Cyber Essentials Plus, ensuring a robust security posture. - **Change Management Process**: The agreements outline the procedures for managing changes in the service or operational environment, ensuring that changes are controlled and do not adversely affect security. - **Logging and Monitoring Capability**: Leveraging Azure's native capabilities such as Azure Monitor and Azure Security Center, the agreements ensure comprehensive logging and real-time monitoring of the environment. - **Incident Management and Communication Procedures**: Detailed incident response plans and communication strategies are included to ensure timely and effective management of security incidents. - **Right to Audit and Third-Party Assessment**: The agreements provide CSCs with the right to conduct audits and to request third-party security assessments to verify compliance with the agreed security requirements. - **Service Termination**: Provisions for service termination are included, detailing the processes for data return, destruction, or transition to another service provider, ensuring data integrity and continuity. - **Interoperability and Portability Requirements**: These provisions ensure that data and services can be moved seamlessly between different platforms or providers, leveraging Azure's built-in support for data export and interoperability standards. - **Data Privacy**: The agreements comply with relevant data protection regulations such as GDPR, ensuring that data privacy is maintained throughout the data lifecycle. These provisions are designed to ensure a secure, reliable, and compliant operational environment for all tenants of the FastDraft platform hosted on Microsoft Azure. |
| Are supply chain agreements between CSPs and CSCs reviewed at least annually? | Yes, supply chain agreements between Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) are reviewed at least annually to ensure compliance with current regulations and standards, and to address any changes in operational requirements or security postures. This regular review process is part of our commitment to maintaining robust security and compliance standards across all our service offerings in Microsoft Azure. |
| Is there a process for conducting internal assessments at least annually to confirm the conformance and effectiveness of standards, policies, procedures, and SLA activities? |
Yes, Built Intelligence conducts internal assessments annually to confirm the conformance and effectiveness of our standards, policies, procedures, and SLA activities. These assessments are part of our ISO 27001 certified Information Security Management System (ISMS) and include reviews of our operational controls, security practices, and compliance with relevant regulations. The assessments are performed by our internal audit team and are supplemented by external audits from certified bodies to ensure thoroughness and objectivity. |
| Are policies that require all supply chain CSPs to comply with information security, confidentiality, access control, privacy, audit, personnel policy, and service level requirements and standards implemented? |
Yes, Built Intelligence has implemented policies that require all supply chain Cloud Service Providers (CSPs) to comply with information security, confidentiality, access control, privacy, audit, personnel policy, and service level requirements and standards. These policies are part of our ISO 27001 certified Information Security Management System (ISMS) and are enforced through contractual agreements and regular audits of our CSPs. Compliance with these policies ensures that our supply chain aligns with our security and privacy standards, protecting both our data and that of our customers. |
| Are supply chain partner IT governance policies and procedures reviewed periodically? | Yes, Built Intelligence periodically reviews the IT governance policies and procedures of our supply chain partners to ensure compliance with our security standards and contractual obligations. This review process is part of our broader vendor management and risk assessment practices, aligned with ISO 27001 requirements. |
| Is a process to conduct periodic security assessments for all supply chain organizations defined and implemented? |
Yes, Built Intelligence has defined and implemented a process to conduct periodic security assessments for all supply chain organizations. This process is part of our ISO 27001 certified Information Security Management System (ISMS) and includes regular reviews and audits of our suppliers to ensure compliance with our security requirements and standards. These assessments help manage and mitigate risks associated with third-party services and products integral to our operations and service delivery. |
| Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained to identify, report, and prioritize the remediation of vulnerabilities to protect systems against vulnerability exploitation? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained policies and procedures to identify, report, and prioritize the remediation of vulnerabilities to protect systems against vulnerability exploitation. These procedures are part of our ISO 27001 certified Information Security Management System (ISMS) and are aligned with Cyber Essentials Plus requirements. Regular security scans, penetration testing, and vulnerability assessments are conducted to ensure continuous identification and mitigation of risks. Remediation activities are prioritized based on the severity and impact of the vulnerabilities identified. All relevant personnel are trained on these procedures to ensure effective implementation and compliance. |
| Are threat and vulnerability management policies and procedures reviewed and updated at least annually? |
Yes, Built Intelligence's threat and vulnerability management policies and procedures are reviewed and updated at least annually to ensure they remain effective and aligned with current security best practices and compliance requirements. This process is part of our ISO 27001 certified Information Security Management System (ISMS), which mandates regular reviews and updates to all security policies and procedures. |
| Are policies and procedures to protect against malware on managed assets established, documented, approved, communicated, applied, evaluated, and maintained? |
Yes, Built Intelligence has established, documented, approved, communicated, applied, evaluated, and maintained policies and procedures to protect against malware on managed assets. These measures are part of our ISO 27001 certified Information Security Management System (ISMS) and include the use of anti-malware software, application whitelisting, and regular updates and patches to our systems, hosted on Microsoft Azure. Our policies also mandate regular security training for employees to recognize and manage malware threats. These procedures are regularly reviewed and updated to adapt to new threats. |
| Are asset management and malware protection policies and procedures reviewed and updated at least annually? |
Yes, Built Intelligence reviews and updates asset management and malware protection policies and procedures at least annually. This is in alignment with our ISO 27001 certification requirements, which mandate regular reviews of security policies and operational controls to ensure they remain effective and compliant with evolving security standards and threats. These updates are documented and approved by senior management, ensuring our practices are current and robust. |
| Are processes, procedures, and technical measures defined, implemented, and evaluated to enable scheduled and emergency responses to vulnerability identifications (based on the identified risk)? |
Yes, Built Intelligence has defined, implemented, and continuously evaluates processes, procedures, and technical measures to enable both scheduled and emergency responses to identified vulnerabilities, in alignment with our ISO 27001 certified Information Security Management System (ISMS). Our approach includes regular security scans, penetration testing, and dependency checks at the application level, alongside Azure's infrastructure-level protections. Critical vulnerabilities trigger our incident response process, ensuring rapid mitigation. These measures are regularly reviewed and updated based on emerging threats and vulnerabilities, maintaining compliance with industry standards and best practices. |
| Are processes, procedures, and technical measures defined, implemented, and evaluated to update detection tools, threat signatures, and compromise indicators weekly (or more frequent) basis? |
Yes, Built Intelligence has defined, implemented, and continuously evaluates processes, procedures, and technical measures to update detection tools, threat signatures, and compromise indicators on a weekly basis. This is in alignment with our ISO 27001 certified Information Security Management System (ISMS) and leverages Microsoft Azure's infrastructure, including Azure Defender and Azure Security Center, which provide automated security updates and threat intelligence. These tools ensure that our security measures are up-to-date and effective against emerging threats, maintaining the security and integrity of the FastDraft platform. |
| Are processes, procedures, and technical measures defined, implemented, and evaluated to identify updates for applications that use third-party or open-source libraries (according to the organization's vulnerability management policy)? |
Yes, Built Intelligence has defined, implemented, and continuously evaluates processes, procedures, and technical measures to identify updates for applications that use third-party or open-source libraries, in accordance with our vulnerability management policy outlined in our ISO 27001 ISMS documentation. This includes regular security scans, dependency checks, and the application of patches to address identified vulnerabilities, ensuring that all components of our FastDraft platform hosted on Microsoft Azure remain secure and up-to-date. |
| Are processes, procedures, and technical measures defined, implemented, and evaluated for periodic, independent, third-party penetration testing? |
Yes, Built Intelligence has defined, implemented, and regularly evaluates processes, procedures, and technical measures for periodic, independent, third-party penetration testing. Our penetration tests are conducted annually by a CREST-approved provider, ensuring compliance with industry standards and our ISO 27001 certification. These tests help identify and mitigate vulnerabilities, enhancing the security posture of the FastDraft platform hosted on Microsoft Azure. |
| Are processes, procedures, and technical measures defined, implemented, and evaluated for vulnerability detection on organizationally managed assets at least monthly? |
Yes, FastDraft implements processes, procedures, and technical measures for vulnerability detection on organizationally managed assets at least monthly. These measures include regular security scans, dependency checks, and penetration testing as part of our security strategy hosted on Microsoft Azure. Azure's infrastructure provides continuous security monitoring and threat management that align with our internal policies and the ISO 27001 and Cyber Essentials Plus standards we adhere to. |
| Is vulnerability remediation prioritized using a risk-based model from an industry-recognized framework? |
Yes, Built Intelligence prioritizes vulnerability remediation using a risk-based model aligned with industry-recognized frameworks such as OWASP and ISO 27001. Our approach includes regular vulnerability assessments, prioritization based on risk severity, and timely remediation to ensure the security and integrity of the FastDraft platform. |
| Is a process defined and implemented to track and report vulnerability identification and remediation activities that include stakeholder notification? |
Yes, Built Intelligence has a defined and implemented process to track and report vulnerability identification and remediation activities, which includes stakeholder notification. This process is part of our ISO 27001 certified Information Security Management System (ISMS). Vulnerabilities are logged, assessed, and prioritized for remediation in our system. Stakeholders are notified through established communication channels as per our incident response and stakeholder communication procedures. |
| Are metrics for vulnerability identification and remediation established, monitored, and reported at defined intervals? |
Yes, metrics for vulnerability identification and remediation are established, monitored, and reported at defined intervals as part of our ISO 27001 certified Information Security Management System (ISMS). We utilize Microsoft Azure's security tools to continuously monitor our infrastructure and applications for vulnerabilities. Remediation efforts are tracked and managed through our incident response process, ensuring timely updates and patches. Reports on these activities are reviewed monthly by our security team and quarterly by senior management to ensure ongoing compliance and improvement. |
| Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained for all endpoints? |
Yes, policies and procedures are established, documented, approved, communicated, applied, evaluated, and maintained for all endpoints as per our ISMS documentation. These include user endpoint devices such as laptops, mobile phones, and tablets, which are covered under our User Endpoint Devices policy (ISMS DOC TEC05). This policy outlines the responsibilities, required controls, and guidelines for the protection and management of endpoint devices. Regular audits, access controls, encryption, and training are part of these procedures to ensure compliance and security. |
| Are universal endpoint management policies and procedures reviewed and updated at least annually? |
Yes, our universal endpoint management policies and procedures are reviewed and updated at least annually. This is in accordance with our internal Information Security Management System (ISMS) guidelines, which mandate regular reviews to adapt to emerging risks and changes in the business environment. The Information Security Manager is responsible for ensuring compliance with this policy and for overseeing the annual review process. |
| Is there a defined, documented, applicable and evaluated list containing approved services, applications, and the sources of applications (stores) acceptable for use by endpoints when accessing or storing organization-managed data? |
Yes, FastDraft maintains a defined, documented, applicable, and evaluated list of approved services, applications, and sources of applications (stores) acceptable for use by endpoints when accessing or storing organization-managed data. This list is part of our Information Security Management System (ISMS) and is regularly reviewed and updated to ensure compliance with our security policies and standards, including ISO 27001. Access to these services and applications is controlled through role-based access controls and authentication mechanisms, including Azure Active Directory and multi-factor authentication to ensure secure access to organization-managed data. |
| Is a process defined and implemented to validate endpoint device compatibility with operating systems and applications? |
Yes, FastDraft has a defined and implemented process to validate endpoint device compatibility with operating systems and applications. This process is part of our ISMS documentation under User Endpoint Devices (ISMS DOC TEC05), which ensures that all user endpoint devices are automatically updated with the most recent operating system and application security-related patches, fixes, and updates. Regular and ad hoc audits of all mobile devices are conducted to ensure that they are configured in compliance with this procedure. |
| Is an inventory of all endpoints used and maintained to store and access company data? |
Yes, FastDraft maintains an inventory of all endpoints used to store and access company data. This inventory is part of our comprehensive security and compliance framework, managed through Microsoft Azure's infrastructure. Azure provides robust tools for monitoring and managing endpoints, ensuring that all access points are secured and compliant with industry standards, including ISO 27001 and Cyber Essentials Plus. |
| Are processes, procedures, and technical measures defined, implemented and evaluated, to enforce policies and controls for all endpoints permitted to access systems and/or store, transmit, or process organizational data? |
Yes, Built Intelligence has defined, implemented, and regularly evaluates processes, procedures, and technical measures to enforce policies and controls for all endpoints permitted to access systems and/or store, transmit, or process organizational data. These measures are aligned with ISO 27001 standards and include endpoint security solutions, access controls, encryption, and regular security assessments to ensure compliance and data protection across all organizational data handling activities. |
| Are all relevant interactive-use endpoints configured to require an automatic lock screen? |
Yes, all relevant interactive-use endpoints in the FastDraft platform are configured to require an automatic lock screen. This security measure is part of our comprehensive approach to safeguarding user data and ensuring the integrity of our multi-tenant PaaS solution hosted on Microsoft Azure. This feature is in alignment with our security policies and helps in maintaining compliance with industry standards and certifications such as ISO 27001. |
| Are changes to endpoint operating systems, patch levels, and/or applications managed through the organizational change management process? |
Yes, changes to endpoint operating systems, patch levels, and/or applications are managed through the organizational change management process at FastDraft. We adhere to structured change management protocols to ensure that all modifications are reviewed, tested, and approved before implementation. This process is designed to minimize disruptions and maintain the integrity and security of our multi-tenant PaaS solution hosted on Microsoft Azure. |
| Is information protected from unauthorized disclosure on managed endpoints with storage encryption? |
Yes, information on managed endpoints is protected from unauthorized disclosure with storage encryption. FastDraft leverages Microsoft Azure’s infrastructure, which includes built-in encryption mechanisms for data at rest, ensuring that all stored data is encrypted using industry-standard protocols such as AES-256. This applies to all endpoints managed within the Azure environment, aligning with our ISO 27001 and Cyber Essentials Plus certifications. |
| Are anti-malware detection and prevention technology services configured on managed endpoints? |
Yes, FastDraft employs anti-malware detection and prevention technology services on all managed endpoints. This includes real-time scanning, automated updates, and advanced threat protection capabilities provided through Microsoft Defender for Endpoint, integrated within our Microsoft Azure infrastructure. This ensures robust security against malware, viruses, and other malicious threats, maintaining the integrity and security of our platform and user data. |
| Are software firewalls configured on managed endpoints? | Yes, All company-managed endpoints used to access and administer the FastDraft platform are configured with host-based firewalls. Built Intelligence uses centralized endpoint protection and configuration management to enforce firewall rules, detect anomalies, and ensure devices are compliant with internal security baselines. These configurations prevent unauthorized inbound traffic and support network segmentation policies when accessing Azure-hosted administrative consoles or sensitive data environments. |
| Are managed endpoints configured with data loss prevention (DLP) technologies and rules per a risk assessment? |
Yes, Built Intelligence configures managed endpoints with Data Loss Prevention (DLP) technologies and rules based on a comprehensive risk assessment. This is in alignment with our ISO 27001 certified Information Security Management System (ISMS), which includes policies and controls for data protection and loss prevention. DLP configurations are tailored to protect sensitive information against unauthorized access and data breaches, ensuring compliance with GDPR and other regulatory requirements. |
| Are remote geolocation capabilities enabled for all managed mobile endpoints? | Yes, Built Intelligence uses mobile device management (MDM) tools to manage and monitor mobile endpoints used by staff to access FastDraft or company resources. These tools support remote geolocation, remote lock, and remote wipe capabilities to protect data in case of device loss or theft. All mobile devices with access to FastDraft administrative or support tools must be enrolled in MDM and meet our minimum security requirements, including encryption and PIN protection. |
| Are processes, procedures, and technical measures defined, implemented, and evaluated to enable remote company data deletion on managed endpoint devices? |
Yes, processes, procedures, and technical measures are defined, implemented, and evaluated to enable remote company data deletion on managed endpoint devices. Our policy, as outlined in the User Endpoint Devices (ISMS DOC TEC05), mandates that all user endpoint devices are equipped with capabilities for remote disablement and wiping. This is enforced through the deployment of management software that allows our Information Security Team to remotely access and manage endpoint devices, ensuring the ability to delete company data remotely in case of device loss, theft, or when an employee leaves the company. This capability is regularly tested and audited to ensure compliance and effectiveness. |
| Are processes, procedures, and technical and/or contractual measures defined, implemented, and evaluated to maintain proper security of third-party endpoints with access to organizational assets? |
Yes, Built Intelligence has defined, implemented, and continuously evaluates processes, procedures, and technical and/or contractual measures to maintain the security of third-party endpoints accessing organizational assets. These measures are aligned with our ISO 27001 certified Information Security Management System (ISMS) and include: - Rigorous third-party risk assessments and due diligence before granting access. - Use of Data Processing Agreements (DPAs) that include security requirements and Standard Contractual Clauses (SCCs) for compliance with GDPR and other relevant regulations. - Implementation of role-based access controls (RBAC) to ensure that third-party access is restricted to what is necessary for their role. - Regular audits and reviews of third-party access and activities to ensure compliance with our security policies and standards. - Mandatory security training for third parties accessing our systems, covering best practices and compliance requirements. These measures ensure that third-party endpoints are secured and that their access to organizational assets does not compromise our security posture. |
Comments
0 comments
Please sign in to leave a comment.